Uploaded by Han Nguyen

Auditing & Assurance Services 9th edition

advertisement
Auditing &
Assurance Services
Timothy J. Louwers, PhD, CPA,
CISA, CFF
Professor Emeritus
James Madison University
Penelope L. Bagley, PhD, CPA
Department Chair and
Kenneth E. Peacock Distinguished Professor
Appalachian State University
Allen D. Blay, PhD, CPA
Department Chair and
EY Professor of Accounting
Florida State University
Jerry R. Strawser, PhD, CPA
KPMG Chair and Professor of Accounting
Texas A&M University
Jay C. Thibodeau, PhD, CPA
Rae D. Anderson Professor of Accounting
Bentley University
Final PDF to printer
AUDITING & ASSURANCE SERVICES
Published by McGraw Hill LLC, 1325 Avenue of the Americas, New York, NY 10019. Copyright
©2024 by McGraw Hill LLC. All rights reserved. Printed in the United States of America. No part of
this publication may be reproduced or distributed in any form or by any means, or stored in a database or
retrieval system, without the prior written consent of McGraw Hill LLC, including, but not limited to, in
any network or other electronic storage or transmission, or broadcast for distance learning.
Some ancillaries, including electronic and print components, may not be available to customers outside
the United States.
This book is printed on acid-free paper.
1 2 3 4 5 6 7 8 9 LWI 28 27 26 25 24 23
ISBN 978-1-266-28599-8
MHID 1-266-28599-7
Cover Image: paul kline/E+/Getty Images
All credits appearing on page or at the end of the book are considered to be an extension of the copyright page.
The Internet addresses listed in the text were accurate at the time of publication. The inclusion of a
website does not indicate an endorsement by the authors or McGraw Hill LLC, and McGraw Hill LLC
does not guarantee the accuracy of the information presented at these sites.
mheducation.com/highered
lou85997_fm_ise.indd
ii
10/10/22 07:11 pm
Some people come into our lives and quickly go. Some
stay awhile and leave footprints on our hearts and we
are never quite the same.
Anonymous
We dedicate this book to the following educators
whose footprints we try to follow:
Professor Homer
Bates
(University of North Florida)
Professor Stanley Biggs
(University of Connecticut)
Professor Lewis C. Buller
(Indiana State University)
Professor Patrick Delaney
(Northern Illinois University)
Professor William Hillison
(Florida State University)
Professor John Ivancevich
(University of Houston)
Professor Richard Kochanek
(University of Connecticut)
Professor John L. “Jack” Kramer
(University of Florida)
Professor Jack Robertson
(University of Texas at Austin)
Professor Robert Strawser
(Texas A&M University)
Professor Sally Webber
(Northern Illinois University)
Professor “IBM Jim” Whitney
(The Citadel)
Meet the Authors
Timothy J. Louwers
Courtesy of James Madison
University
is Professor Emeritus at James Madison University.
Professor Louwers received his undergraduate and master’s degrees from The Citadel and
his PhD from Florida State University. Prior to beginning his academic career, he worked
in public accounting with KPMG, specializing in financial, governmental, and information
systems auditing. He is a certified public accountant (South Carolina and Virginia) and a
certified information systems auditor. He is also certified in financial forensics.
Professor Louwers’s research interests include auditors’ reporting decisions and ethical
issues in the accounting profession. He has authored or coauthored more than 60 publications
on a wide range of accounting, auditing, and technology-related topics, including articles
in the Journal of Accounting Research, Accounting Horizons, the Journal of Business Ethics,
Behavioral Research in Accounting, Decision Sciences, the Journal of Forensic Accounting,
Issues in Accounting Education, the Journal of Accountancy, the CPA Journal, and
Today’s CPA. Some of his published work has been reprinted in Russian and Chinese.
He is a respected lecturer on auditing and technology-related issues and has received
teaching excellence awards from the University of Houston and Louisiana State University.
He has appeared on both local and national television news broadcasts, including MSNBC
and CNN news programs.
Penelope L. Bagley
Courtesy of Appalachian
State University
is the Department Chairperson and the Kenneth E.
Peacock Distinguished Professor.
Professor Bagley received her undergraduate and master’s degrees from North Carolina
State University and her PhD from the University of Georgia. Prior to obtaining her
PhD, Professor Bagley worked for a short time in the audit field. She is a certified public
accountant in North Carolina. Professor Bagley teaches both undergraduate and graduate auditing courses. She has authored and coauthored publications on accounting and
auditing topics in journals such as Auditing: A Journal of Practice & Theory, Accounting Horizons, and Behavioral Research in Accounting. She has also coauthored auditing
cases, published in Issues in Accounting Education. Professor Bagley is active in the
American Accounting Association and has served on various committees for the Auditing Section. Professor Bagley likes to spend time with her husband Matt and children,
Garrett and Julianne. She enjoys exercising in her spare time, she regularly competes in
running and triathlon races. Her crowning athletic achievement was qualifying for and
running the 2019 Boston Marathon.
Allen D. Blay is the Department Chair and EY Professor of Accounting at
Florida State University.
Professor Blay completed his PhD at the University of Florida in 2000. He teaches auditing at all levels and teaches a seminar in auditing research in the doctoral program. His
research interests relate to auditor judgment and decision making. Professor Blay has
authored or coauthored publications on a wide range of accounting and auditing topics
in journals such as The Accounting Review, Contemporary Accounting Research, Auditing: A Journal of Practice and Theory, Organizational Behavior and Human Decision
Processes, the Journal of Business Ethics, Behavioral Research in Accounting, Issues in
Accounting Education, the International Journal of Auditing, and the Journal of Accounting, Auditing, and Finance. He is currently an editor for Issues in Accounting Education
and serves on several editorial boards.
Courtesy of Kallen M. Lunt
iv
Meet the Authors
v
Professor Blay has been active in the American Accounting Association and is 2022–
23 president of the Auditing Section. He also cochaired the 2020 Auditing Section Midyear Meeting and served on the steering committee for the Intensive Data and Analytics
Summer Workshop each year since its inception, as well as in many other roles over the
years. He is also active in the American Institute of CPAs, serving in various volunteer
roles relating to the Uniform CPA Exam. Prior to entering academics, Professor Blay
worked in public accounting auditing financial institutions. He currently is chair of the
accounting department at Florida State University.
Jerry R. Strawser
Courtesy of Michael Kellett
for Mays Business School
is Associate Dean for Graduate Programs at Mays
Business School at Texas A&M University and holds the KPMG Chair in Accounting.
Prior to his current appointment, Professor Strawser served as executive vice president
and chief financial officer at Texas A&M University, dean of Mays Business School at
Texas A&M University, interim executive vice president and provost at Texas A&M
University, interim dean of the C. T. Bauer College of Business at the University of
Houston, and Arthur Andersen & Co. Alumni Professor of Accounting.
Professor Strawser has coauthored three textbooks and more than 60 journal articles. In
addition to his academic experience, he had prior public accounting experience at two Big
Four accounting firms. He has also developed and delivered numerous executive development programs to organizations such as AT&T, Centerpoint Energy, Continental Airlines, ConocoPhillips, Halliburton, KBR, KPMG, Minute Maid, PricewaterhouseCoopers,
McDermott International, Shell, Southwest Bank of Texas, and the Texas Society of Certified Public Accountants. Professor Strawser is a certified public accountant in the state of
Texas and earned his BBA and PhD in accounting from Texas A&M University.
Jay C. Thibodeau
Courtesy of Bentley
University
is the Rae D. Anderson Professor of Accounting and
Director of PhD Programs at Bentley University.
Professor Thibodeau is a former auditor and a CPA. He received his BS degree from
the University of Connecticut in 1987 and his PhD from the University of Connecticut
in 1996. He has conducted executive education programs for numerous leading firms
including Fidelity Investments, KPMG, PricewaterhouseCoopers, Stryker, and Bluecoat
Technologies.
He is a coauthor of two books, Auditing and Assurance Services and Auditing and
Accounting Cases: Investigating Issues of Fraud and Professional Ethics. In addition, he
has written over 60 articles and book chapters for academics and practitioners and has
published in journals such as Auditing: A Journal of Practice & Theory, Journal of Information Systems, Accounting Horizons and Issues in Accounting Education.
Professor Thibodeau served as the president of the Auditing Section of the American
Accounting Association for the 2014/2015 academic year. He has also received national
recognition for his work seven times. First, for his thesis, winning the 1996 Outstanding Doctoral Dissertation Award presented by the ABO section of the AAA. Four other
times, for curriculum innovation, winning the 2001 Joint AICPA/AAA Collaboration
Award, the 2003 Innovation in Assurance Education Award, the 2016 Forensic Accounting Teaching Innovation Award, and the 2019 Innovation in Assurance Education Award.
Once, for outstanding service, receiving a Special Service Award from the Auditing Section for his work in helping to create the Center for Audit Quality’s Access to Auditors
program. And, finally, for research excellence, winning the 2020 Glen McLaughlin Prize
for Research in Accounting and Ethics given by the University of Oklahoma.
Look Beneath the Surface. . .
As auditors, we are trained to investigate beyond appearances to determine the underlying
facts—in other words, to look beneath the surface. Whether evaluating the Enron and WorldCom scandals of the early 2000s, the financial crisis of 2007–2008, the Wirecard fraud in
2020 or present-day issues and challenges related to significant estimation uncertainty, understanding the auditor’s responsibility related to fraud, maintaining a clear perspective, probing
for details, and understanding the big picture are indispensable to effective auditing.
With the availability of greater levels of qualitative and quantitative information
(“Big Data”), the need for technical skills and challenges facing today’s auditor is greater
than ever. The Louwers, Bagley, Blay, Strawser, and Thibodeau team has dedicated
years of experience in the auditing field to this new edition of Auditing & Assurance
Services, supplying the necessary investigative tools for future auditors.
Cutting-Edge Coverage
The ninth edition of Auditing & Assurance Services continues its tradition as the most
up-to-date auditing text on the market. All chapters and modules have been revised to
incorporate
∙ The latest professional standards, recodifications, and proposals from the International Auditing and Assurance Standards Board, Auditing Standards Board, and
Public Company Accounting Oversight Board.
∙ A list of the relevant professional standards that are covered in that chapter, including
comprehensive coverage of the new PCAOB standards on auditing estimates.
Data Analytics
One trend has emerged as a potential sea change in the financial statement auditing process:
the data and analytics challenge.
We believe students should be prepared to make the best use possible of relevant data
using state-of-the-art analytical tools. In fact, the terms big data and data and analytics
are frequently being used to describe a growing movement among audit professionals.
As the AICPA moves to add data and analytics onto the Uniform CPA Examination, our
collective view is that students must be able to not only meet current requirements, but
be ahead of the game.
To prepare students, the ninth edition of Auditing & Assurance Services has been
revised deliberately to help students critically think about the use of increased data and
analytical tools in the financial statement audit. In addition to changes within the main
chapters of the book, we have added
∙ A new comprehensive example of data and analytics in auditing included in
Module G, which follows the AICPA Guide to Data Analytics and covers the entire
thought process of an auditor.
∙ Updated data to Author-Created Cases and Exercises (as part of Data Analytics
Module) that cover the majority of uses of data analytics in the financial statement
audit, along with extensive solutions to help instructors implement the materials in
their classroom.
It is our belief that students should be trained in the process of data and analytics and
learn to think critically about situations they may face in an audit. We believe that the
knowledge students attain should be software independent, particularly since software
vi
technology changes so rapidly. However, we also believe that it is important for students
to become familiar with at least one specific data and analytic software tool, and recent
AACSB standards echo this belief. Thus, an important goal of the ninth edition is to
provide a clear and implementable method to fully integrate a leading data analysis tool,
the IDEA Data Analysis software, into the auditing class. Many of our exercises,
however, can be implemented using whatever technology an instructor chooses to
use, like Excel or Alteryx.
We believe that IDEA provides an outstanding platform to illustrate the steps that
auditors need to take related to data and data analysis while completing the financial
statement audit. Leading auditing professionals have confirmed that using IDEA is
an outstanding way for entry-level auditing professionals to begin the journey into
the world of big data and data analytics. Simply stated, big data is manifested in the
financial statement auditing process through the use of tools like IDEA.
Overall, our revisions related to the big data challenge were designed to provide
instructors a set of tools and mechanisms to bring data and analytics into the classroom
in a meaningful way. Through the use of these tools, students can be sure they are
prepared to enter practice with an appreciation for and knowledge of the increasing
importance of data and analytics in the auditing profession.
Perhaps most importantly, the ninth edition of Auditing & Assurance Services
also continues to be the most up-to-date auditing text on the market. All chapters and
modules have been revised to incorporate the latest updates from the international
standards of auditing (ISAs), the Auditing Standards Board (ASB), and the Public
Company Accounting Oversight Board (PCAOB). With Auditing & Assurance
Services, ninth edition, students are prepared to take on auditing’s latest challenges.
The Louwers author team uses a conversational, yet professional tone—hailed by
reviewers as a key strength of the book.
Flexible Organization
Auditing & Assurance Services teaches students auditing concepts by emphasizing real-life contexts when describing the
auditing process. The authors use chapters and modules to
Chapters
The 12 chapters cover the auditing process extensively with a multitude of
cases designed to give students a better
understanding of how a best-practice
concept developed from real-world
situations.
“The format allows you to integrate the
modules into the chapter material in
any way you would find useful.”
—Frank J. Beil, University of Minnesota
Modules
Modules A–I provide instructors additional
material that can be used throughout the
course. Topics such as fraud, ethics, sampling, technology and the integrated audit
are covered in the modules, which are
designed to be taught whenever instructors
want to introduce the topic in their course.
vii
achieve this goal. Although the chapters follow a logical sequence that we recommend
professors consider for their classes, the modules have been written to be used on a
stand-alone basis. In essence, the modules have been deliberately prepared for entirely
flexible implementation of these topics without excessive reliance on chapter sequencing.
We encourage you to integrate these modules into your syllabi in a manner that best
suits your approach to the auditing course.
An additional feature that provides instructor flexibility is an alternate chapter
(with a full complement of supplemental and ancillary materials) that focuses on the
PCAOB audit report for issuers. In addition, PCAOB versions of report examples
and summary exhibits and end of chapter materials have been prepared to accompany the AICPA reporting chapter. This provides instructors with three options to
teach audit reporting:
1. Focus exclusively on the AICPA report (text copy)
2. Focus on the AICPA report while introducing differences between the AICPA report
and PCAOB report (text copy and summary materials available on Connect)
3. Focus exclusively on the PCAOB report (alternate chapter available on Connect)
Engage Your Students with Real Examples
An effective accounting textbook integrates real-world scenarios with theoretical discussion. Auditing & Assurance Services places the student in the role of a decision maker
by illustrating the application of auditing concepts using actual situations experienced
by accounting firms and companies such as
∙ Each chapter or module opens with a “real-world” example that draws upon concepts
discussed within that chapter or module.
∙ A series of mini-cases and Updated Classroom Cases available on the Instructor
Resource Center have been developed for use by instructors to further bring text
material to life. These resources feature real situations experienced by companies,
individuals, or accounting firms and are updated by the authors to include both
timeless classics such as Arthur Andersen’s failure to detect fraud at Enron to more
recent situations such as the Wirecard fraud and PCAOB inspections of audits conducted for Chinese companies listed on U.S. exchanges.
Updated Classroom Cases
The author-prepared Updated Classroom Cases provides students and instructors with a
brief overview of “real-time” auditing issues, along with references to suggested readings and guidelines for incorporating the content into the classroom. Previous items
have featured the KPMG “Steal the Exam” issue related to PCAOB inspections and
the 2018 ban of PwC for audits of companies listed on the India Stock Exchange. We
have added cases that address recent issues and developments in the accounting and
auditing profession, such as the Theranos fraud, Wirecard fraud, Luckin Coffee fraud,
and PCAOB inspections of audits conducted for Chinese companies listed on U.S.
exchanges. New items are added as events develop and are available in Connect.
viii
Fraud Awareness
The fraud coverage in Auditing & Assurance Services is extensive and is complemented
by real-world examples chosen to engage students through the following tools:
∙ Auditing Insights integrated throughout the text.
∙ Mini-cases and Updated Classroom cases that may be assigned to supplement text
chapters and modules that expose students to landmark fraud cases including Enron,
Satyam Computer Services, and Luckin Coffee.
∙ Specific discussion of management fraud (Chapter 4), employee fraud (Chapter 6),
and the Certified Fraud Examiner Exam (Module D).
Create a State-of-the-Art Learning Environment:
Instructor Resources
The author team and McGraw Hill are dedicated to providing instructors with the best
teaching resources available. In addition to the solutions manual, test bank, PowerPoint
Presentations, and the Apollo Shoe Case, the following resources are also available.
The Updated Auditor
The author team scrutinizes leading business and academic publications for relevant
issues and research that sheds light on auditing and the audit process. Recent findings
from academic research and discussions from professional literature are drawn from the
following publications:
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
Accounting Horizons,
Accounting Today,
Auditing: A Journal of Practice & Theory,
Behavioral Research in Accounting,
Bloomberg Businessweek,
CFO.com,
CPA Journal,
Journal of Accountancy,
Journal of Accounting and Economics,
The Accounting Review,
The Wall Street Journal,
These excerpts are highlighted throughout the text as Auditing Insights to allow for
easy identification and review by instructors and students.
In addition to the use of Auditing Insights, on a monthly basis, the author team provides an Updated Auditor briefing, which summarizes the content of relevant business
and academic publications on a chapter-by-chapter basis, to allow students to apply current developments in the profession with material discussed in class. The Updated Auditor briefing is available in Connect. With the Updated Auditor, instructors will always
be at the cutting edge of auditing practice!
ix
IDEA Software and Workbook
With the availability of unprecedented amounts of quantitative and qualitative information
and tools available to access and process that information, it is imperative that students
learn and utilize the latest technologies used by auditing professionals. As previously
stated, McGraw Hill Education has forged a partnership with Caseware Analytics for
the use of the IDEA data analysis tool. Chapters 3 (audit planning), 4 (risk assessment), 5
(internal control), 7–9 (operating cycle chapters), both modules on sampling (Modules E
and F), and the new data and analytics module (Module G) have been revised to
reference the use of IDEA within the chapter or module.
In addition, the ninth edition includes end-of-chapter exercises utilizing author-developed
databases exclusively for use with Auditing & Assurance Services as well as supplemental
materials available in Connect to complement the IDEA workbook and provide hands-on
instructions on using the IDEA software. The authors also provide
∙ Implementation guidance to instructors.
∙ Robust video walk-throughs.
∙ Detailed solutions and explanations on this new content.
Overall, the author team has provided significant resources to prepare students for the
auditing environment in 2023 and beyond.
Standards Update
The professional standards facing auditors continue to evolve. The author-prepared Standards
Update provides a summary of current exposure drafts and pronouncements issued
subsequent to the publication of the text. This invaluable resource provides students
and instructors with an “evergreen” text and summarizes the most current activities
of the Auditing Standards Board and Public Company Accounting Oversight Board.
The Standards Update is updated biannually and is available in Connect.
Highlights of Auditing & Assurance Services, 9e
In response to feedback and guidance from numerous auditing accounting faculty, the
authors have made many important changes to the ninth edition of Auditing & Assurance
Services, including the following:
∙ The ninth edition of Auditing & Assurance Services features Connect and SmartBook.
∙ Module G has been updated to include full coverage of the current uses of Data and
Analytics in auditing, including extensive Data Analytics Exercises with authorcreated data.
∙ Module I is new to the ninth edition. The module is focused on describing the steps and
complexities involved in the audit of internal control over financial reporting at an issuer.
∙ All chapters and modules have been revised to incorporate professional standards adopted
through January 2022.
∙ Updates have been added to the Apollo Shoes, Inc. case with Data Analytics content.
Apollo Shoes, Inc. is an audit case designed to introduce students to the entire audit
process. Auto-gradable questions, instructor implementation guide, and videos can be
found online in Connect.
x
∙ Auditing Insight boxes have been added and updated throughout the textbook to
place issues discussed within the text into a real-world context. These boxes incorporate numerous examples from business and academic publications as well as actual
company annual reports and audit reports.
∙ Examples using the Caseware IDEA software are included in Chapters 3, 4, 5, 7,
8, 9, Module E, Module F, and the new Module G focusing on Data and Analytics.
In addition, end-of-chapter exercises using author-developed databases exclusively
for use with Auditing & Assurance Services as well as supplemental materials to
complement the IDEA workbook are provided.
∙ Tables in the cycle chapters have been fully standardized to focus on the risk assessment
process for each relevant assertion. The chapters provide a consistent focus on how
auditors respond to assessed risk of material misstatement, through the incorporation
of easy-to-read tables throughout Chapters 6 through 10 to highlight the key issues
and risks faced by auditors in the examination of different accounts. These tables take
the students through the risk assessment process for each cycle on a step-by-step basis
to mirror the methodology used in current audit practice.
Remote Proctoring and Browser-Locking Capabilities
Remote proctoring and browser-locking capabilities, hosted by Proctorio within Connect,
provide control of the assessment environment by enabling security options and verifying
the identity of the student.
Seamlessly integrated within Connect, these services allow instructors to control
the assessment experience by verifying identification, restricting browser activity, and
monitoring student actions.
Instant and detailed reporting gives instructors an at-a-glance view of potential academic
integrity concerns, thereby avoiding personal bias and supporting evidence-based claims.
Tegrity: Lectures 24/7
Tegrity in Connect is a tool that makes class time available 24/7 by automatically
capturing every lecture. With a simple one-click start-and-stop process, you capture
all computer screens and corresponding audio in a format that is easy to search, frame
by frame. Students can replay any part of any class with easy-to-use, browser-based
viewing on a PC, Mac, iPod, or other mobile device.
Educators know that the more students can see, hear, and experience class resources,
the better they learn. In fact, studies prove it. Tegrity’s unique search feature helps students
efficiently find what they need, when they need it, across an entire semester of class
recordings. Help turn your students’ study time into learning moments immediately supported by your lecture. With Tegrity, you also increase intent listening and class participation by easing students’ concerns about note-taking. Using Tegrity in Connect will make
it more likely you will see students’ faces, not the tops of their heads.
Test Builder in Connect
Available within Connect, Test Builder is a cloud-based tool that enables instructors to
format tests that can be printed or administered within a Learning Management System
xi
(LMS). Test Builder offers a modern, streamlined interface for easy content configuration
that matches course needs, without requiring a download.
Test Builder allows you to
∙ Access all test bank content from a particular title.
∙ Easily pinpoint the most relevant content through robust filtering options.
∙ Manipulate the order of questions or scramble questions and/or answers.
∙ Pin questions to a specific location within a test.
∙ Determine your preferred treatment of algorithmic questions.
∙ Choose the layout and spacing.
∙ Add instructions and configure default settings.
Test Builder provides a secure interface for better protection of content and allows
for just-in-time updates to flow directly into assessments.
Association to Advance Collegiate Schools of
Business (AACSB) Statement
McGraw Hill Education is a proud corporate member of AACSB International. Understanding the importance and value of AACSB accreditation, Auditing & Assurance Services,
9e, recognizes the curricula guidelines detailed in the AACSB standards for business
accreditation by connecting selected questions in the text and test bank to the eight general knowledge and skill guidelines in the AACSB standards. The statements contained
in Auditing & Assurance Services, 9e, are provided only as a guide for the users of this textbook. The AACSB leaves content coverage and assessment within the purview of individual
schools, their mission, and their faculty. Although Auditing & Assurance Services, 9e, and
the teaching package make no claim of any specific AACSB qualification or evaluation,
we have within Auditing & Assurance Services, 9e, labeled selected questions in Connect
according to the eight general knowledge and skills areas.
McGraw Hill Education and UWorld are dedicated to supporting every accounting student
along their journey, ultimately helping them achieve career success in the accounting profession.
xii
In partnership with UWorld, a global leader in education technology, we provide
students a smooth transition from the accounting classroom to successful completion
of the CPA Exam. While many aspiring accountants wait until they have completed
their academic studies to begin preparing for the CPA Exam, research shows that those
who become familiar with exam content earlier in the process have a stronger chance
of successfully passing. Accordingly, students using these McGraw Hill materials will
have access to the highest quality CPA Exam multiple-choice questions and task-based
simulations from UWorld, with expert-written explanations and solutions. All questions
are either directly from the AICPA or are modeled on AICPA questions that appear in
the exam. Task-based simulations are delivered via the UWorld platform, which mirrors
the look, feel, and functionality of the actual exam. For more information about the full
UWorld CPA Review program, exam requirements, and exam content, visit https://
accounting.uworld.com/cpa-review/partner/university/.
New to the Ninth Edition of
Auditing & Assurance Services
Part I: The Contemporary
Auditing Environment
The following breakdown shows the revisions we made
on a chapter-by-chapter basis:
CHAPTER 1: Auditing and Assurance Services
∙ Revised the section on management's financial statement assertions to reflect the changes to the ASB assertion classifications brought on by SAS 134 (Paragraph
A133). The new guidance eliminates the category
related to presentation and footnote disclosures and
now categorizes those assertions within the events and
transactions and the account balances categories. The
guidance became effective on December 15, 2021.
∙ Added new Auditing Insights related to: (1) a new
measure of accounting reporting complexity using
XBRL; (2) the issue of whether the Evergrande
Group should have received a going-concern opinion; and (3) the possibility of Big Four firms adding
legal services to their professional service offerings.
∙ Revised the section that introduces assurance,
attestation, and audit services. In addition, added
two related Auditing Insights that describe the new
IFRS International Sustainability Standards Board
and Non-Fungible Tokens. Both of these areas represent significant assurance opportunities for CPA
firms.
CHAPTER 2: Professional Standards
∙ Added opening vignette discussing current issues
surrounding the PCAOB's inability to inspect audits
of Chinese companies listed on U.S. exchanges.
∙ Added Auditing Insights related to Mattel and
independence, updates on the United Kingdom's
Financial and Reporting Council requirements for
reducing the influence of Big Four firms, and the
Wirecard fraud and reliability of audit evidence.
∙ Updated Auditing Insights on KPMG's advance
notification of audits selected for PCAOB inspection,
academic research related to PCAOB inspections,
and the results of PCAOB inspections for the Big
Four firms.
Part II: The Financial Statement Audit
CHAPTER 3: Engagement Planning
∙ Added new introductory vignette discussing recent
large auditor switches and considerations when
determining to accept a new audit client.
∙ Added a new exhibit to better highlight the various
parties’ responsibilities with regard to communicating with predecessor auditor when making client
acceptance decisions.
∙ Included review checkpoint focusing on independence.
∙ Added a new Auditing Insight discussing finding
from academic study regarding the use of audit specialists in the audit engagement.
∙ Included a brief discussion of “eating time” in the
Time Budget discussion and added a new end of
chapter exercise related to eating time.
∙ Added a new exhibit highlighting relationship of
overall materiality to performance materiality, two
new review checkpoints, and a new end of chapter
question focusing on materiality.
∙ Updated Assertions, Evidence, and Audit Procedures table for new AICPA assertions, per SAS No.
134, Auditor Reporting and Amendments, including
Amendments Addressing Disclosures in the Audit of
Financial Statements, Paragraph A133.
∙ Updated Audit Insights and examples throughout the
chapter.
CHAPTER 4: The Audit Risk Model and Inherent
Risk Assessment
∙ Consolidated prior Learning Objectives 4-5 and 4-6
into one more comprehensive learning objective.
∙ Added a new introductory vignette highlighting the
impact of the COVID-19 pandemic on audit risk
assessment and auditor’s planned responses to risk.
∙ Updated discussion on how the audit risk model
is used in practice, moving away from quantitative calculations of risk and instead focusing on
qualitative terms (low, moderate, high) and the
relationships of the various risks within the model
and the implications for audit planning. Updated
multiple choice questions at the end of the chapter, moving away from qualitative audit risk model
calculations.
∙ Included review checkpoint focusing on the relationships highlighted throughout the audit risk model.
∙ Added a new Auditing Insight focusing on how the
COVID-19 pandemic has impacted fraud detection
and growth.
xiii
∙ Updated Exhibit 4.9 (formally 4.7) to highlight
misstatements by assertion, utilizing new AICPA
assertions.
∙ Updated Audit Insights and examples throughout
the chapter.
CHAPTER 5: Risk Assessment: Internal Control
Evaluation
∙ Removed all material related to the internal control
over financial reporting required for issuers by
the Sarbanes–Oxley Act of 2002 and moved such
material to a new Module I.
∙ Focused this chapter entirely on the evaluation of
the system of internal control on the financial statement audit. By splitting this chapter, we believe that
it will be a better way to present the internal control
topic to students.
∙ Moved the section that described the limitations
of an internal control system directly following its
definition, allowing for a complete understanding of
what is meant by an effective internal control system
and its limitations.
CHAPTER 6: Employee Fraud and the Audit of Cash
∙ Added multiple new and current Auditing Insights.
∙ Fully updated the audit approach to confirmations to
reflect the current electronic confirmation environment.
CHAPTER 7: Revenue and Collection Cycle
∙ Fully updated Auditing Insight boxes to include several
new examples.
∙ Converted several additional end of chapter exercises
to machine-gradable Connect versions.
∙ Provided new PCAOB Inspection Focus boxes to
emphasize risk areas in audit inspections.
CHAPTER 8: Acquisition and Expenditure Cycle
∙ Further revised all tables in the chapter to be identical in format and consistent for all cycle chapters
(6-10). This enables instructors to present a common
format that matches the current method of auditing,
from identification of significant accounts and relevant assertions to substantive procedures to audit
residual risks.
∙ Added multiple new Auditing Insights covering current news related to auditing the expenditure cycle.
∙ Added new PCAOB Inspection Insight boxes to provide students with specific examples of risk areas in
the acquisition and expenditure cycle.
xiv
CHAPTER 9: Production Cycle and the Audit of
Inventory
∙ Revised the chapter to continue to remove focus from
the production cycle and increase coverage of inventory substantive procedures. The chapter addresses
risks of material misstatement in the inventory account
for companies ranging from manufacturers to retailers
such as Target.
∙ Revised all tables in the chapter to be identical in
format for all cycle chapters (6–10). This enables
instructors to present a common format that matches
the current method of auditing, from identification
of significant accounts and relevant assertions to
substantive procedures to audit residual risks.
∙ Included a discussion of auditing difficulties related
to remote auditing of inventory counts.
∙ New PCAOB Inspection Focus boxes provide a
direct link to risk areas in the audit of inventory.
CHAPTER 10: Finance and Investment Cycle
∙ Significantly expanded the discussion of auditing
accounting estimates, including fair values, to address
the newly revised PCAOB standards. In addition,
added a much more detailed discussion of the general
approach to auditing accounting estimates.
∙ Updated tables throughout the chapter to include
examples involving auditing accounting estimates in
investment accounts.
∙ Included new PCAOB Inspection Insight boxes to
demonstrate risk areas within the finance and investment cycle.
CHAPTER 11: Completing the Audit
∙ Added a new introductory vignette featuring Eastman
Kodak Company (Kodak) and the going-concern
assessment auditors must do when completing the audit.
∙ Added two new Auditing Insights related to auditing
estimates, one discussing the impact of estimates
on Amazon Inc.’s financial statements, another
discussing the difficulty of auditing estimates.
∙ Added a new Auditing Insight discussing the difficulty
of auditing estimates.
∙ Updated Audit Insights and examples throughout
the chapter.
CHAPTER 12: Reports on Audited Financial Statements
∙ Added opening vignette illustrating how COVID-19
impacted the going-concern reporting for various
companies, including Norwegian Cruise Lines and
Carnival Cruise Lines.
∙ Added or updated Auditing Insights related to scope
limitations, component auditors (with data drawn from
the PCAOB's Form AP disclosure database), additional
disclosures in auditors' reports, going-concern reports
(with data drawn from the Audit Analytics database),
and comparative reporting for General Motors in light
of their change in auditors from Deloitte to EY.
∙ Added excerpts from actual auditors' reports for
consistency (Nike), going concern (PG&E), and
supplemental information (General Electric).
∙ Updated Auditing Insights summarizing the results of
recent academic research on going concern reports.
∙ Included discussion of reporting on financial statements
prepared using special purpose frameworks; specified
elements, accounts, or items; and compliance with contractual agreements or regulatory requirements.
∙ Developed alternate reporting chapter and supporting materials that provides instructors with flexibility in covering the AICPA auditors' report, PCAOB
auditors' report, or both reports.
Part III: Stand-Alone Modules
MODULE A: Other Public Accounting Services
∙ Moved material on reporting on financial statements
prepared using special purpose frameworks; specified elements, accounts, or items; and compliance
with contractual agreements or regulatory requirements to Chapter 12 to focus on engagements other
than GAAS/PCAOB audits.
∙ Incorporated guidance provided by Statement on
Standards for Attestation Engagements No. 21 that
created two types of examination engagements
(assertion-based examination engagements and
direct examination engagements).
∙ Expanded coverage of Service Organization Controls
(SOC) engagements, including providing excerpted
wording used in Type 1 and Type 2 reports.
∙ Added Auditing Insights on deficiencies identified
in PCAOB inspections for audits involving service
organizations and broker-dealer compliance, Phillip
Morris' integrated report and examples of assurance
provided by auditors on information included in that
report, trends in corporate responsibility reporting
and academic research examining accountant assurance on this information, and the SEC's 2022 proposal for disclosure of greenhouse-gas emissions
and energy consumption and the potential impact of
these disclosures on accountant assurance.
MODULE B: Professional Ethics
∙ Added an Auditing Insight that focuses on recent
calls by regulators to investigate possible conflicts
of interest at accounting firms, questioning whether
consulting services impact their independent financial statement audit.
∙ Added an Auditing Insight that describes the difficulty
in changing auditors. By using the example of
KPMG, which had been auditing General Electric
since 1909, the insight illuminates that it is not an
easy task. As the Insight describes, “in theory making a
switch to another auditor sounds simple, the reality
is that it is anything but.”
∙ Added an Auditing Insight that describes how two partners at PwC were fined individually, for inadequate
audit work on British tech company Redcentric Plc due
to a lack of competence in conducting the audit. Also,
added an Auditing Insight which illustrates how three
Ernst & Young employees violated independence rules
when they used contingent fees for billing a client for
tax services. Taken together, the insights provide useful
examples to students of what can happen if they violate
the AICPA rules of conduct.
MODULE C: Legal Liability
∙ Added a new Auditing Insight featuring the implications of legal liability to junior auditors, highlighting
recent filings of UK audit regulator against junior
auditors.
∙ Updated Auditing Insight on Foreign Corrupt Practices
Act violations.
∙ Updated Auditing Insight on class action lawsuits.
∙ Updated Auditing Insight for recent academic research
on factors influencing auditor litigation.
MODULE D: Internal Audits, Governmental
Audits, and Fraud Examinations
∙ Reorganization of Internal Audit section, discussion of
Internal Audit Standards now precedes discussion
xv
of Types of Internal Audit Services and Internal
Audit Reports.
∙ Updated Auditing Insights and examples throughout
the modules to reflect current events and trends.
∙ Updated discussion of Benford’s Law.
MODULES E and F: Sampling
∙ Updated Auditing Insights for deficiencies identified in
PCAOB inspections related to the application of attributes (Module E) and variables (Module F) sampling.
∙ Expanded and clarified walk-through examples to
illustrate the use of IDEA in attributes and variables
sampling.
MODULE G: Data and Analytics in Auditing
∙ Added a comprehensive example to illustrate the
steps that auditors are following in completing Data
and Analytics in auditing. The example walks
through each of the the techniques that should be
conducted using the audit of accounts receivable and
revenue in a financial statement audit. Importantly,
the module follows the approach from the AICPA
Guide to Audit Data Analytics. Most notably, the
example is included within Connect to allow for
continuous updating and the most current and relevant approach to be employed on a continuous basis.
∙ Updated data and analytics exercises in the new
Module G related to revenue recognition, along with
several existing author-created and IDEA workbook
exercises, enabling instructors to have many options for
integration of data analytics into their courses with new
solutions to reduce the availability of answers to students.
∙ Updated data for all data and analytic exercises
included within both this chapter and Module G that
focus on issues related to audits of the inventory
account. The revised data reduces the likelihood of
student access to solutions.
∙ Updated the section describing the common tools
used in Audit Data Analytics based on the author
team's cutting-edge understanding of practice.
∙ The updated end-of-chapter multiple choice, exercises, and problems contain entirely author-created
questions and examples, as well as significant assistance for instructors for implementing the exercises
in their classrooms.
xvi
MODULE H: Auditing and Information Technology
∙ Included a new introduction to the chapter that
describes a relatable example of the different ways
that information technology (IT) errors can impact
an audit client. The example describes several
colleges and universities that mistakenly sent out
incorrect scholarship award notifications to students.
∙ Added several new "PCAOB Inspection Focus"
examples which describe recent inspection findings from the PCAOB on issues that are being discussed in the text. For example, one of the examples
focuses on a failure to audit information technology
general controls (ITGCs) and one of the examples
focuses on program change controls.
∙ Revised the section on important roles in an IT
computing environment at an organization to better
reflect current practice.
∙ Added an insight on the SEC's plans regarding the
disclosure of cybersecurity risks in regulatory filings.
MODULE I: The Audit of Internal Control for
Issuers
∙ New to this edition, we have added a new Module
I that describes the steps and complexities involved
in the audit of internal control over financial
reporting.
∙ The new module contains excerpts from the most
recent Stanley Black & Decker management report
on internal control over financial reporting and
excerpts from Deloitte & Touche's most recent opinion on internal control over financial reporting for
Fannie Mae, which was an adverse opinion.
∙ The new module contains a comprehensive section on the benchmarks that auditors use to evaluate
internal control effectiveness on the audit of internal
control and a robust discussion of the evaluation of
internal control design effectiveness and the operating effectiveness of internal control activities.
∙ The new module also describes the process used by
audit teams to evaluate internal control deficiencies,
illustrated with an Auditing Insight and examples
that illustrate PCAOB Inspection results.
∙ Of course, the new module includes stand-alone
multiple choice questions, along with problems and
exercises.
Acknowledgments
OUR SINCEREST THANKS. . .
The American Institute of Certified Public Accountants (AICPA) has generously given
permission for liberal quotations from official pronouncements and other AICPA publications, all of which lend authoritative sources to the text. In addition, several publishing
houses, professional associations, and accounting firms have granted permission to quote
and extract from their copyrighted material. Their cooperation is much appreciated because
a great amount of significant auditing thought exists in this wide variety of sources.
A special acknowledgment is due to the Association for Certified Fraud Examiners
(ACFE). It has been a generous contributor to the fraud auditing material in this text. The
authors also acknowledge the valuable inclusion of the educational version of IDEA software in the eighth edition, which significantly enhances the practical application of the book.
Also, the authors are particularly grateful to Ryan T. Dunn, PhD, CPA (Auburn University), Meghann Cefaratti (Northern Illinois University), Brad Roof (James Madison
University), and Yigal Rechtman (Pace University) for their many insightful comments
over the past several years. The feedback they contributed while teaching from our text
has contributed greatly to the clarity and accuracy of subsequent editions. A special
thanks to Michael K. Shaub for his valuable critique of Chapter 5 and to Cristina Alberti,
Todd Burns, and Brent Stevens for their input on Module H. In addition, thanks to Steven Dwyer, Suzanne McLaughlin, and Frank Wimer for the example developed to help
explain the difference between general and application controls in Module H and to Bill
Stearns for the inspiration to include the assurance implications of NFTs in Chapter 1.
Thanks to Helen Roybark for her help with the preparation of the instructor PowerPoint
presentations and Joleen Kremin for her contribution to the Apollo Shoes, Inc. case.
We are sincerely grateful for the valuable input of all those who helped guide our
developmental decisions for the past eight editions of Auditing & Assurance Services:
Abdul Qastin
North Carolina A&T State
Barbara Vinciguerra
Moravian College
Carmela Gordon,
Trident Technical College
Adrianne Slaymaker
Metropolitan State University
Beverly Strachan
Troy University at
Montgomery
Carol Shaver
Louisiana Tech University
Alexander K. Buchholz
Brooklyn College of the City
University of New York
Bharat Merchant
Baruch College
Amy Bourne,
Oregon State University
Bobby Waldrup
University of North Florida
Andy Garcia
Bowling Green State University
Bonita K. Peterson Kramer
Montana State University–
Bozeman
Anne Albrecht,
Texas Christian University
Aretha Hill
Florida A&M University
Barbara Reider
University of Montana
Bunney L. Schmidt
Utah Valley State College
Byron Pike
Minnesota State University–
Mankato
Charles J. Pendola,
St. Joseph’s College-New York
Charles Miller
California Polytech University
Christian Wurst
Temple University
Christine N. Todd
Colorado State University–
Pueblo
Clyde Galbraith
West Chester University
David Blum
Moraine Park Technical College
xvii
xviii Acknowledgments
David Gelb
Seton Hall University
Dawn P. Addington
Central New Mexico Community
College
Dereck D. Barr
The University of Mississippi
Diana R. Franz
University of Toledo
Dorothy McMullen
Rider University
Douglas Ziegenfuss
Old Dominion University
Dr. Marina Grau,
Houston Community College
Duane Ponko
Indiana University of Pennsylvania
Duane Smith
Brescia University
Dwayne Powell
Arkansas State University
Dwight M. Owsen
Long Island University Brooklyn
Earl Godfrey
Gardner-Webb University
Eddie Metrejean
Georgia Southern University
Emily Elaine Griffith
The University of Georgia
Eric Carlsen
Kean University
Fatima Alali
California State University–
Fullerton
Fowler A. Murrell
Lehman College
Frank J. Beil
University of Minnesota
Frank Venezia
State Ryan T. Dunn, PhD, CPA
Albany
Gary Peters
University of Arkansas
Heidi H. Meier
Cleveland State University
Hema Rao
SUNY–Oswego
Iris Stuart
California State University
J. Donald Warren Jr.,
Rutgers University
Jack Armitage
University of Nebraska–Omaha
James Hansen
University of Illinois at Chicago
Jason T. Rasso
University of South Florida
Jaysinha Shinde
Eastern Illinois University
Jeffrey J. Archambault
Marshall University
Jennifer McCallen,
University of Georgia
Jerry L. Turner
University of Memphis
John Critchett
Madonna University
John E. Delaney
Southwestern Texas University
John Gabelman
Columbus State Community College
John Rigsby
Mississippi State University
John Trussel
Penn State University–Harrisburg
Joseph Aranyosi,
University of Phoenix
Joseph M. Larkin
St. Joseph’s University
Judith G. Grant
Northern Virginia Community
College at Annandale
Karl Dahlberg
Rutgers University
Kate Sorensen,
University of Memphis
Kathy Pollock
Indiana University–Purdue
University Fort Wayne
Keith Jones
George Mason University
Kristen Kelli Saunders
University of South Carolina
Lin Zheng
Northeastern Illinois University
Linda Quick
University of South Carolina
LuAnn Bean
Florida Institute of Technology
Marcus Mason Doxey
University of Kentucky
Maria Sanchez
Rider University
Marie Blouin
Penn State University–Harrisburg
Marilyn Fisher
Corinthian Colleges
Marshall K. Pitman,
University of Texas at San
Antonio
Marshall Pitman
University of Texas–San Antonio
MaryAnne Atkinson
Central Washington University
Maureen Mascha
Marquette University
Meghann Cefaratti
Northern Illinois University
Michael D. Akers
Marquette University
Pamela Legner
College of DuPage
Pamela Roush
University of Central Florida
Patricia Feller
Nashville State Community
College
Perry Moore
Lipscomb University
Philip Levine
Berkeley College
R. D. Licastro
Penn State University–University
Park
Ramesh Narasimhan
Montclair State University
Raymond Elson
Valdosta State University
Raymond Reisig
Pace University
Richard Hale
Midway College
Acknowledgments
Rick Warne, Todd Burns, and
Brent Stevens
University of Cincinnati
Suzanne M. Busch
California State University–
East Bay
Rose Layton
University of Southern California
Russell F. Briner
University of Texas at San Antonio
Sylvia Anderson
University of Maryland
University College
Sara Adams,
Southern Oregon University
Sharon Polansky
Texas A&M University–Corpus
Christi
Steven C. Hunt
Western Illinois University
Tammi Schaefer
University of South Carolina
Timothy Andrew Seidel
University of Arkansas
Tom English
Boise State University
xix
Tu Xu
Georgia State University
Venkataraman Iyer
The University of North Carolina
at Greensboro
Vincent Owhoso
Northern Kentucky University
Xu Zhaohui
University of Houston–
Clear Lake
Yigal Rechtman
Pace University
Tracy Reed
Appalachian State University
In addition, we would like to recognize our outstanding staff at McGraw-Hill: Managing Director, Tim Vertovec; Senior Portfolio Director, Becky Olson; Associate Portfolio
Manager, Stephanie DeRosa; Marketing Manager, Lauren Schur; Product Developer,
Sarah Wood; Content Project Managers, Mary Powers and Tammy Juran; Buyer, Laura
Fuller; and Designer, Matt Diamond. For their encouragement, assistance, and guidance
in the production of this book, we are grateful.
Few understand the enormous commitment of time and energy that it takes to put
together a textbook. As authors, we are constantly scanning The Wall Street Journal and
other news outlets for real-world examples to illustrate theoretical discussions, rereading and rewriting each other’s work to make sure that key concepts are understandable,
and double-checking our solutions to end-of-chapter problems. Among the few who do
understand the time and energy commitment are our family members (Matt, Garrett, and
Julianne Bagley; Kristin, Jackson, Elijah, Jonah, Ansley, and Laney Grace Blay; Susan
and Meghan Strawser; and Ellen, Jenny, Eric, and Jessica Thibodeau) who uncomplainingly endured endless refrains of, “I just need a couple more minutes to finish this section.” Words cannot express our gratitude to each of them for their patience and unending
support.
A SPECIAL RECOGNITION
As we close, we owe a special debt of gratitude to two former co-authors who contributed
mightily to previous editions of this text: Robert Ramsey (who retired from the University
of Kentucky) and David Sinason (who retired from the University of Northern Illinois).
While they are no longer actively teaching and conducting research, their efforts reflected
in this textbook will continue to influence the professional development and lives of
future accountants for many years to come.
Tim Louwers
Pennie Bagley
Allen Blay
Jerry Strawser
Jay Thibodeau
Instructors
The Power of Connections
A complete course platform
Connect enables you to build deeper connections with your students through
cohesive digital content and tools, creating engaging learning experiences.
We are committed to providing you with the right resources and tools to
support all your students along their personal learning journeys.
65%
Less Time
Grading
Every learner is unique
In Connect, instructors can assign an adaptive reading
experience with SmartBook® 2.0. Rooted in advanced
learning science principles, SmartBook 2.0 delivers
each student a personalized experience, focusing
students on their learning gaps, ensuring that the time
they spend studying is time well-spent.
mheducation.com/highered/connect/smartbook
Laptop: Getty Images; Woman/dog: George Doyle/Getty Images
Affordable solutions,
added value
Solutions for
your challenges
Make technology work for you with
LMS integration for single sign-on access,
mobile access to the digital textbook,
and reports to quickly show you how
each of your students is doing. And with
our Inclusive Access program, you can
provide all these tools at the lowest
available market price to your students.
Ask your McGraw Hill representative for
more information.
A product isn’t a solution. Real
solutions are affordable, reliable,
and come with training and ongoing
support when you need it and how you
want it. Visit supportateverystep.com
for videos and resources both you
and your students can use throughout
the term.
Students
Get Learning that Fits You
Effective tools for efficient studying
Connect is designed to help you be more productive with simple, flexible, intuitive tools that maximize
your study time and meet your individual learning needs. Get learning that works for you with Connect.
Study anytime, anywhere
Download the free ReadAnywhere® app and
access your online eBook, SmartBook® 2.0,
or Adaptive Learning Assignments when it’s
convenient, even if you’re offline. And since
the app automatically syncs with your Connect
account, all of your work is available every time
you open it. Find out more at
mheducation.com/readanywhere
“I really liked this
app—it made it easy
to study when you
don't have your textbook in front of you.”
- Jordan Cunningham,
Eastern Washington University
iPhone: Getty Images
Everything you need in one place
Your Connect course has everything you need—whether reading your digital eBook
or completing assignments for class—Connect makes it easy to get your work done.
Learning for everyone
McGraw Hill works directly with Accessibility
Services Departments and faculty to meet the
learning needs of all students. Please contact your
Accessibility Services Office and ask them to email
accessibility@mheducation.com, or visit
mheducation.com/about/accessibility
for more information.
Brief Contents
PART ONE
11. Completing the Audit
The Contemporary Auditing Environment
1. Auditing and Assurance Services 1
2. Professional Standards
Stand-Alone Modules
PART TWO
Please refer to pages xv–xvi for guidance on
when to best integrate these modules.
The Financial Statement Audit
A. Other Public Accounting Services 578
3. Engagement Planning and Audit
Evidence 82
B. Professional Ethics 612
4. The Audit Risk Model and Inherent Risk
Assessment 122
5. Risk Assessment: Internal Control
Evaluation 174
xxii
662
D. Internal Audits, Governmental Audits, and
Fraud Examinations 706
F. Variables Sampling
783
G. Data and Analytics in Auditing
7. Revenue and Collection Cycle 263
10. Finance and Investment Cycle 433
C. Legal Liability
E. Attributes Sampling 742
6. Employee Fraud and the Audit of
Cash 215
9. The Production Cycle and Auditing
Inventory 381
12. Reports on Audited Financial Statements 524
PART THREE
45
8. Acquisition and Expenditure Cycle
487
321
834
H. Information Technology Auditing
I. The Audit of Internal Control For
Issuers 914
INDEX
947
873
Contents
PART ONE
Chapter 2
Professional Standards
THE CONTEMPORARY AUDITING
ENVIRONMENT
Introduction 46
Generally Accepted Auditing Standards (GAAS)
Chapter 1
Auditing and Assurance Services
Organization of GAAS
Fundamental Principle: Responsibilities
User Demand for Reliable Information 2
Information Risk in a Big Data World 3
Auditing, Attestation, and Assurance Services
Assurance Services 5
Examples of Assurance Services 6
Attestation Engagements 8
Financial Statement Auditing 10
Auditing in a Big Data Environment
Management’s Financial Statement
Assertions 13
12
Existence or Occurrence (Existence, Occurrence,
Cutoff) 14
Completeness (Completeness, Cutoff) 15
Valuation and Allocation (Accuracy, Valuation,
and Allocation) 16
Rights and Obligations (Rights and
Obligations) 17
Presentation and Disclosure (Classification,
Presentation) 17
Importance of Assertions 18
Professional Skepticism 18
Public Accounting 22
Auditing and Assurance Services 23
Tax Services 24
Advisory Services 25
Other Kinds of Engagements and Information
Professionals 26
Internal Auditing 26
Governmental Auditing 27
Regulatory Auditors 28
Become a Professional and Get Certified! 28
Education 28
Examination 29
Experience 30
State Certificate and License 30
Skill Sets and Your Education 30
Summary 32
Key Terms 33
Multiple-Choice Questions for Practice and
Review 34
Exercises and Problems 39
48
5
50
Competence and Capabilities 51
Independence and Due Care 51
Professional Skepticism and Professional Judgment
Fundamental Principle: Performance
Planning and Supervision 55
Materiality 56
Risk Assessment 57
Audit Evidence 58
47
54
53
Fundamental Principle: Reporting 60
Evaluating the Quality of Public Accounting
Firms’ Practices 62
System of Quality Control 63
PCAOB Inspection of Firms 65
Summary 67
Key Terms 68
Multiple-Choice Questions for Practice and Review 69
Exercises and Problems 73
Appendix 2A
Referencing Professional Standards
80
PART TWO
THE FINANCIAL STATEMENT AUDIT
Chapter 3
Engagement Planning and Audit Evidence
Introduction 83
Pre-Engagement Activities
84
Client Acceptance or Continuance 84
Compliance with Independence and Ethical
Requirements 87
Engagement Letters 87
Audit Plan
89
Materiality
95
Staffing the Audit Engagement
Time Budget 94
90
Materiality Calculation 96
Other Issues that Impact Materiality
How Auditors Use Materiality 98
97
Audit Procedures for Obtaining Audit Evidence
1. Inspection of Records and Documents 102
2. Inspection of Tangible Assets 104
99
xxiii
xxiv Contents
3. Observation 104
4. Inquiry 104
5. Confirmation 105
6. Recalculation 106
7. Reperformance 106
8. Analytical Procedures
Appendix 4B
Sample Audit Memorandum
Chapter 5
Risk Assessment: Internal Control Evaluation
106
Audit Documentation 107
Permanent Files 108
Current Files 108
Audit Documentation Arrangement and Indexing 109
Summary 112
Key Terms 113
Multiple-Choice Questions for Practice and Review 114
Exercises and Problems 117
Chapter 4
The Audit Risk Model and Inherent Risk
Assessment
Introduction 123
Audit Risk 123
176
Internal Control Effectiveness 176
Limitations of Internal Control 177
Management versus Auditors’ Responsibility for
Internal Control 178
Management’s Internal Control Responsibilities 178
Auditors’ Internal Control Responsibilities 178
Components of Internal Control 180
Control Environment 180
Risk Assessment 182
Control Activities 183
Information and Communication 188
Monitoring 189
Phase 1: Understand and Document the Client’s Internal
Control System 192
Phase 2: Assessment of Control Risk 196
Phase 3: Identify Controls to Test and Perform
Tests of Controls 199
128
Fraud 130
Types of Fraud 131
Inherent Risk Assessment—“What Could Go
Wrong?” 134
Understanding the Client’s Business and Its
Environment 135
Gathering Information and Preliminary
Analytical Procedures 140
General Business Sources 140
Company Sources 140
Information from Client Acceptance or Continuance
Evaluation, Audit Planning, Past Audits, and
Other Engagements 140
Preliminary Analytical Procedures 141
Audit Team Brainstorming Discussions 146
Inquiry of Audit Committee, Management, and Others
within the Company 147
Overall Assessment and Documentation of Inherent
Risk Assessment 147
Required Documentation 149
Other Considerations 149
Audit Strategy Memorandum 152
Summary 153
Key Terms 154
Multiple-Choice Questions for Practice and Review 155
Exercises and Problems 159
Appendix 4A
Selected Financial Ratios
Introduction 175
Definition of Internal Control
Internal Control Evaluation 190
Audit Risk 123
Inherent Risk 125
Control Risk 125
Detection Risk 125
Audit Risk Model 126
Fraud Risk
171
170
Internal Control Communications 204
Summary 205
Key Terms 206
Multiple-Choice Questions for Practice and Review 207
Exercises and Problems 210
Appendix 5A
Audit Plan
214
Chapter 6
Employee Fraud and the Audit of Cash
Introduction
216
The Need for Skepticism in Audits of Cash 217
Employee Fraud Overview 217
Employee Fraud Red Flags 218
Characteristics of Fraudsters 219
The Fraud Triangle
220
Incentive/Pressure 220
Opportunity 222
Attitude/Rationalization 222
Fraud Prevention 223
Managing People and Pressures in the Workplace 223
Internal Control Activities and Employee Monitoring 224
Tone at the Top 226
The Audit of Cash
227
Management Reports and Data Files in an Audit of Cash 227
Significant Accounts and Relevant Assertions 230
Risk of Material Misstatement 231
Contents
Evaluating the Design and Operating Effectiveness
of Internal Controls 232
Substantive Procedures 238
“Extended Procedures” to Detect Fraud 243
Summary 247
Key Terms 247
Multiple-Choice Questions for Practice and Review 248
Exercises and Problems 252
Appendix 6A
Internal Control Questionnaires
260
Appendix 6B
Audit Plans 262
Chapter 7
Revenue and Collection Cycle
Introduction 264
Revenue and Collection Cycle: Typical Activities 265
Receiving and Processing Customer Orders, Including
Credit Granting 1
266
Delivering Goods and Services to Customers 2
266
Billing Customers and Accounting for Accounts
Receivable 3
267
System Generated Reports and Data Files in the Revenue
and Collection Cycle 267
Significant Accounts and Relevant Assertions 270
Risk of Material Misstatement 271
Revenue Recognition 272
Collectability of Accounts Receivable 274
Customer Returns and Allowances 275
Internal Control Activities and Design Evaluation 275
Entity-Level Controls in the Revenue and Collections
Cycle 276
Control Considerations at the Account and Assertion
Level 276
Tests of Operating Effectiveness of Internal Control 279
Summary: Control Risk Assessment 282
Substantive Analytical Procedures and Tests of
Details 282
Analytical Procedures 283
Confirmation of Accounts and Notes Receivable 286
Alternative Procedures 291
Additional Notes about Confirmations 291
Dual-Purpose Nature of Accounts Receivable
Confirmations 292
Review for Collectability 292
Cutoff and Sales Returns 292
Audit Risk Model Applied 294
Application in the Field 294
Audit Cases: Extended Audit Procedures 295
Summary 301
Key Terms 302
Multiple-Choice Questions for Practice and Review 302
Exercises and Problems 307
xxv
Appendix 7A
Internal Control Questionnaires 317
Appendix 7B
Audit Plan
319
Chapter 8
Acquisition and Expenditure Cycle
Introduction 322
Acquisition and Expenditure Cycle: Typical
Activities 323
Purchasing Goods and Services 1
324
Receiving the Goods or Services 2
325
Recording the Asset or Expense and Related
Liability 3
325
Significant Accounts and Relevant Assertions 326
Accounts Payable 326
Expenses 327
Risk of Material Misstatement 329
Internal Control Activities and Design Evaluation 331
Entity-Level Controls 331
Control Considerations 332
Custody 332
Periodic Reconciliation 333
Testing of Operating Effectiveness of Internal
Control 333
Tests of Controls
333
Substantive Procedures 337
Accounts Payable and the Completeness Assertion
Other Expenditure Cycle Accounts 340
Presentation and Disclosure 345
338
Audit Risk Model Applied 345
Fraud Cases: Extended Audit Procedures 347
Summary 350
Key Terms 350
Multiple-Choice Questions for Practice and
Review 351
Exercises and Problems 354
Appendix 8A
Internal Control Questionnaires 364
Appendix 8B
Audit Plans 367
Appendix 8C
The Payroll Cycle
369
Chapter 9
The Production Cycle and Auditing Inventory
Keeping Count 382
Inventory Management: Typical Activities 383
Significant Accounts and Relevant Assertions 386
xxvi Contents
Risk of Material Misstatement 388
Internal Control Activities and Design Evaluation 390
Testing of Operating Effectiveness of Internal
Control 394
Substantive Analytical Procedures and Tests of
Details 399
Key Terms 470
Multiple-Choice Questions for Practice and Review 470
Exercises and Problems 474
Appendix 10A
Audit Risk Model Applied 411
Substantive Audit Plans 484
Difficult Inventory Circumstances 406
Fraud Case: Extended Audit Procedures
412
Summary 413
Key Terms 414
Multiple-Choice Questions for Practice and
Review 414
Exercises and Problems 418
Appendix 9A
Internal Control Questionnaires
482
Appendix 10B
Chapter 11
Completing the Audit
Introduction 488
Audit Timeline 488
Procedures Performed During Fieldwork
429
490
Completing Substantive Procedures 490
Attorney Letters 492
Written Representations 494
Ability to Continue as a Going Concern 496
Adjusting Entries and Financial Statement Disclosure 498
Audit Documentation Review 501
Appendix 9B
Audit Plans 431
Chapter 10
Finance and Investment Cycle
Introduction 434
Finance and Investment Cycle: Typical Activities 436
Financing the Entity through Debt and Stockholder
Equity 437
Financial Planning 1
437
Raising Capital 2
437
Investing Transactions: Investments
and Intangibles 3
439
Significant Accounts and Relevant Assertions 441
Risk of Material Misstatement 442
Complex Transactions 443
Fair Market Value 444
Related-Party Transactions 444
Lease Accounting 445
Loan Covenants 445
Impairments 446
Presentation and Disclosure 446
Internal Control Activities and Design Evaluation 447
Control Considerations 448
Tests of Operating Effectiveness of Internal Control 449
Control over Accounting Estimates 451
Authorization 452
Record Keeping 452
Custody 452
Summary: Control Risk Assessment 453
Subsequent Events and Subsequently
Discovered Facts 502
Subsequent Events 502
Subsequently Discovered Facts 503
Responsibilities Following the Audit Report
Release Date 505
Omitted Procedures 505
Communications with Individuals Charged with
Governance 505
Management Letter 507
Summary of Audit Communications 507
Summary 508
Key Terms 509
Multiple-Choice Questions for Practice and Review 510
Exercises, Problems, and Simulations 513
Chapter 12
Reports on Audited Financial Statements
Introduction 525
Overview of Auditors’ Reports 526
The Standard Report for Nonissuers 527
Types of Opinions 529
Conditions that Require Modifications to the Auditors’
Standard (Unmodified) Report 530
Substantive Analytical Procedures and Tests of
Details 454
Investment Securities 457
Long-Term Liabilities and Related Accounts
Stockholders’ Equity 463
Internal Control Questionnaires
462
Fraud Cases: Extended Audit Procedures 465
Summary 469
Departures from GAAP 530
Scope Limitations 533
Audits of Group Financial Statements 537
Auditors’ Reports Referencing Other Matters
Encountered during the Audit 540
Consistency 540
“Going-Concern” Uncertainties 541
Other Information Included in Annual Reports
542
xxvii
Contents
Supplementary Information 543
Other Modifications 543
Summary: Emphasis-of-Matter and Other-Matter
Paragraphs 544
Comparative Financial Statements 545
Same Auditors, Same Opinions for Comparative Years 545
Same Auditors, Different Opinions for Comparative
Years 545
Same Auditors with Modification of Previously Issued
Opinion 545
Different Auditors in Comparative Years 546
Other Reporting Topics 548
Special Purpose Frameworks 548
Summary Financial Statements 550
Specified Elements, Accounts, or Items 550
Compliance with Contractual Agreements or
Regulatory Requirements 551
Disclaimers of Opinion 551
Summary 552
Key Terms 554
Multiple-Choice Questions for Practice and Review 555
Exercises and Problems 559
Appendix 12A
Auditors’ Reports for Issuers
(Public Entities) 573
STAND-ALONE MODULES
580
Service Organization Control (SOC) Engagements 582
Agreed-Upon Procedures Engagements 584
Prospective Financial Information 585
Compliance Attestation 587
Broker–Dealer Compliance 588
Other Attestation Engagements and Summary 589
Accounting and Review Services for Historical
Financial Information 590
Review Engagements 590
Compilation Engagements 593
Preparation Engagements 594
Summary of Engagements on Historical Financial
Information 595
Scope of Assurance Services 595
Trust Services 597
The Future of Assurance Services 599
Summary
600
Introduction 613
An Ethical Decision Process
614
Making Ethical Decisions 615
Philosophical Principles in Ethics 616
The Imperative Principle 617
The Principle of Utilitarianism 618
The Generalization Argument 618
Virtue Ethics 619
Ethical Codes of Conduct 619
U.S. Securities and Exchange Commission (SEC) 620
The Public Company Accounting Oversight Board
(PCAOB) 621
The International Federation of Accountants (IFAC) 621
The Professional Ethics Executive Committee (PEEC) of
the American Institute of CPAs (AICPA) 621
An Emphasis on Independence
623
AICPA Rules of Conduct: Integrity and
Objectivity, Responsibilities to Clients, and Other
Responsibilities 634
MODULE A
Other Public Accounting Services
Assurance Services Engagements 595
MODULE B
Professional Ethics
American Institute of Certified Public Accountants 624
SEC and PCAOB Independence Rules 631
Other Effects of Sarbanes–Oxley on Auditor
Independence 632
Government Accountability Office (GAO) Independence
Requirements 633
PART THREE
Introduction 579
Introduction to Attestation Engagements
Attestation Engagements 581
Key Terms 600
Multiple-Choice Questions for Practice and Review 601
Exercises and Problems 605
Integrity and Objectivity Rule 634
General Standards Rule 636
Compliance with Standards Rule 637
Accounting Principles Rule 637
Acts Discreditable Rule 637
Fees and Other Types of Remuneration 638
Advertising and Other Forms of Solicitation Rule
Confidential Client Information Rule 641
Form of Organization and Name Rule 643
640
Consequences of Violating the Code of
Professional Conduct 644
Self-Regulatory Discipline 644
Public Regulation Discipline 645
Summary 647
Key Terms 648
Multiple-Choice Questions for Practice and Review 649
Exercises and Problems 654
MODULE C
Legal Liability
Introduction 663
The Legal Environment
664
xxviii Contents
Liability Under Common Law
666
Liability to Clients 666
Liability to Third Parties 667
Liability for Compilation and Review Services 672
Liability Under Statutory Law 673
The Securities Act of 1933 (Securities Act) 674
Section 11: Civil Liability 674
Auditors’ Defenses under the Securities Act 676
Section 13: Statute of Limitations 676
Section 17: Antifraud 676
Section 24: Criminal Liability 677
The Securities Exchange Act of 1934 (Securities
Exchange Act) 677
Section 10 and Rule 10(b)-5: Antifraud 678
Section 18: Civil Liability 679
Auditors’ Defenses under the Securities Exchange Act 680
Section 32: Criminal Liability 680
Foreign Corrupt Practices Act (FCPA) 681
Summary of Auditors’ Liability to Clients
and Third Parties 682
The Changing Landscape of Auditors’ Liability 683
Sarbanes–Oxley 684
Racketeer Influenced and Corrupt Organizations Act 685
Aiding and Abetting 686
Organization of Accounting Firms as Limited Liability
Partnerships 686
Proportionate Liability 686
Class-Action Suits 687
Auditors’ Liability Caps 688
Other Developments 688
Summary 689
Key Terms 690
Multiple-Choice Questions for Practice and Review 691
Exercises and Problems 696
MODULE D
Internal Audits, Governmental Audits,
and Fraud Examinations
Introduction 707
Internal Audits, Governmental Audits, and Fraud
Examinations 707
Internal Audits 708
Internal Auditing Defined 708
Internal Audit Standards 710
Types of Internal Audit Services 711
Internal Audit Reports 714
Governmental Audits 715
Governmental Auditing Defined 715
Types of Governmental Audits 716
GAO Government Auditing Standards 719
GAO Audit Reports 720
Single Audit Act of 1984 and Amendments of 1996 720
Fraud Examinations 721
The Art of Fraud Examinations
723
Fraud Examiner Responsibilities 724
Building a Fraud Case 726
Protecting the Evidence 726
Obtaining Litigation Support 726
Summary 727
Key Terms 728
Multiple-Choice Questions for Practice and Review 729
Exercises and Problems 732
MODULE E
Attributes Sampling
Introduction 743
Planning (Steps 1-3) 744
Step 1: Determine the Objective of Sampling 744
Step 2: Define the Characteristic of Interest 744
Step 3: Define the Population 745
Performing (Steps 4-6) 746
Step 4: Determine the Sample Size 746
Step 5: Select the Sample Items 752
Step 6: Measure the Sample Items 753
Evaluating Sample Results (Step 7)
754
Calculating the Upper Limit Rate of Deviation 754
Making the Evaluation Decision 755
Using IDEA to Evaluate Sample Results 756
Qualitative Evaluation of Deviations 757
Documenting 758
Other Attributes Sampling Methods 759
Summary 761
Key Terms 761
Multiple-Choice Questions for Practice
and Review 762
Exercises and Problems 766
Appendix EA
AICPA Sample Size Tables 779
Appendix EB
AICPA Sample Evaluation Tables 781
MODULE F
Variables Sampling
Introduction 784
Definition of Variables Sampling
PPS Sampling: Planning 786
Steps 1–3: Planning 786
PPS Sampling: Performing
784
788
Step 4: Determine the Sample Size 788
Step 5: Select the Sample Items 791
Step 6: Measure the Sample Items 794
Summary: Performing PPS 794
PPS Sampling: Evaluating 795
Step 7: Evaluating Sample Results 795
Other Variables Sampling Approaches 800
Documentation in Variables Sampling 801
Contents
Summary 802
Key Terms 803
Multiple-Choice Questions for Practice and Review 804
Exercises and Problems 807
Appendix FA
AICPA PPS Tables
818
Appendix FB
Classical Variables Sampling
820
Appendix FC
Nonstatistical Sampling 831
MODULE G
Data and Analytics in Auditing
Introduction
835
The Art of Discovery 835
Audit of the Future 837
Data and Analytics 837
Common Uses of Audit Data Analytics 839
Risk Assessment Procedures 839
Tests of Controls 841
Substantive Analytical Procedures 843
Tests of Details 844
Conducting Audit Data Analytics 847
Plan the ADA 847
Access and Prepare the Data 848
Consider the Relevance and Reliability of the Data 849
Perform the ADA 851
Evaluate the Results and Draw Conclusions 852
Documentation Requirements 853
Common Tools Used in ADA 854
Professional Skepticism in ADA
855
The Next Generation of Auditing 855
External Big Data 856
Artificial Intelligence 856
Distributed Ledger Technology 857
Summary 858
Key Terms 858
Multiple-Choice Questions for Practice and
Review 859
Exercises and Problems 862
MODULE H
Information Technology Auditing
Computer Operations Controls 882
Program Development Controls 883
Summary 884
Automated Application Controls
Input Controls 887
Processing Controls 888
Output Controls 889
Summary 889
887
Assessing Control Risk in An It Environment 891
Testing Controls in An It Environment 893
End-User Computing and Other Environments 896
End-User Computing Control Considerations 897
Computer Abuse and Computer Fraud
899
Preventive, Detective, and Damage-Limiting
Controls 900
Computer Forensics 902
Summary 902
Key Terms 903
Multiple-Choice Questions for Practice and
Review 904
Exercises and Problems 906
MODULE I
The Audit of Internal Control For Issuers
Introduction 915
Laws, Regulations & Standards
916
Effectiveness of Internal Control 916
Management’s Responsibility 917
Auditors’ Responsibilities 918
The Audit of Internal Control Over Financial
Reporting 920
Components of Internal Control over Financial
Reporting 921
Performing the Audit
923
Audit Planning 923
Testing Design and Operating Effectiveness 924
Evaluating Identified Deficiencies 926
Severity of Deficiency 927
Compensating Controls 927
Communicating the Results of the Audit 929
Communicating Significant Deficiencies and
Material Weakness 929
Audit Reporting
930
Auditors’ Separate Report on Internal Control
Over Financial Reporting 931
Modifications to the Standard Report 931
Scoping the IT Audit Procedures 877
Types of IT Control Activities 879
Summary 934
Key Terms 935
Multiple-Choice Questions for Practice and
Review 935
Exercises, Problems, and Simulations 941
Access to Programs and Data Controls 880
Program Change Controls 881
Index 947
Introduction
874
Automated Transaction Processing 875
Reliance on IT Controls 877
General IT Controls 880
xxix
Auditing &
Assurance Services
CHAPTER 1
Auditing and
Assurance Services
Our system of capital formation relies upon the confidence of millions of
savers to invest in companies. The auditor’s opinion is critical to that trust.
James R. Doty, Former Chairman, Public Company Accounting Oversight Board
Professional Standards References
AU-C/ISA
Section
AS
Section
General Principles and Functions of the Independent Auditor
200
1001 1005
1010 1015
Consideration of Fraud in a Financial Statement Audit
240
2401
Audit Evidence
500
1105
AT 101
AT 101
935
6110
Topic
Attestation Standards
Compliance Auditing Considerations in Audits of Recipients of Governmental Financial Assistance
LEARNING OBJECTIVES
You are about to embark on a journey of
understanding how auditors work to keep the capital
markets safe and secure for the investing public.
When an upper management team needs to borrow
money or raise capital to fund their business’ growth
opportunities, creditors and potential investors
routinely ask the managers for their historical
financial statements before making a final decision
about whether to lend or invest in that company.
Since those managers have an incentive to present
financial statements that potentially overstate their
assets or overstate their profitability to try and
secure the funds, creditors and investors will often
demand that the financial statements be audited by
an independent CPA. The audit helps the lenders
and investors to feel comfortable that the financial
statements are credible and can be relied upon. In
this book, you will be provided with a comprehensive
set of materials that will allow you to understand
how auditors complete their work and to master
the professional standards that they are required
to follow. Chapter 1 provides an introduction to the
auditing and assurance profession.
Your objectives are to be able to
LO 1-1
Define information risk and explain how the
financial statement auditing process helps to
reduce this risk, thereby reducing the cost of
capital for a company.
LO 1-2
Define and contrast assurance, attestation,
and financial statement auditing services.
LO 1-3
Describe and define the assertions that
management makes about the recognition,
measurement, presentation, and disclosure
1
2 Part One The Contemporary Auditing Environment
of the financial statements and explain why
auditors use them as the focal point of the audit.
LO 1-4
Define professional skepticism and explain
its key characteristics.
LO 1-5
Describe the organization of public
accounting firms and identify the various
services that they offer.
LO 1-6
Describe the audits and auditors in
governmental, internal, and operational
auditing.
LO 1-7
List and explain the requirements for becoming a certified public accountant (CPA) and
other certifications available to an accounting professional.
USER DEMAND FOR RELIABLE INFORMATION
LO 1-1
Define information risk and
explain how the financial
statement auditing process
helps to reduce this risk,
thereby reducing the cost of
capital for a company.
When seeking capital to grow their business, management has an incentive to present their
company’s financial statements and future prospects in a manner that will entice potential
investors and creditors. Since the possibility exists that management could misrepresent
their financial position and results of operations, it is essential that investors and creditors have assurance that they can rely on the information provided by management, which
creates demand for the financial statement audit. Stated simply, when an independent auditor completes an audit and then issues a report that states that the financial statements
are presented fairly, in all material respects and have been presented in accordance with
Generally Accepted Accounting Principles (GAAP), the financial statements can be relied
upon by investors and creditors.
Unfortunately, the investors in Theranos, a blood-testing startup company, never asked
for an independent audit report. In March 2018, the Securities and Exchange Commission (SEC) settled massive fraud charges against Theranos, their CEO Elizabeth Holmes,
and their president, Sunny Balwani. The SEC’s complaint alleged that the materials provided to potential investors included a company overview, reports of clinical trials, and
financial statement information and projections. However, the package did not include
an independent audit report. Unfortunately the company, which was valued as high as
$9 billion by investors back in 2015, barely had enough cash to pay the bills less than
five years later.1 In January 2022, Elizabeth Holmes was convicted of two counts of wire
fraud and two counts of conspiracy to commit wire fraud. She now faces up to 20 years in
prison.2 This example helps to reinforce why it is so important for investors and creditors
to review audited financial statements as they consider whether to invest or loan money
to a company. Of course, for the audit to have true value to investors and creditors, it
must be completed in accordance with professional standards in a high quality manner
by independent auditors.
You may be asking, why is audit quality so important? Well, as we have just seen,
both investors and creditors depend on reliable financial statement information to make
their investment and lending decisions about a company. As a result, the confidence
of investors and creditors is shaken whenever audit quality is compromised. To help
ensure that audit quality is not compromised, the Sarbanes–Oxley Act of 2002 (hereafter referred to as Sarbanes–Oxley) created the Public Company Accounting Oversight Board (PCAOB) to regulate the audit profession for public companies. In fact, the
PCAOB is responsible for setting all audit standards to be followed on audits of public
companies. In addition, the PCAOB is required to perform inspections of the audit work
completed and the quality control processes employed by audit firms. As a direct result,
accounting students should know that if they plan to work as financial statement auditors, they will be entering a world that is focused on audit quality. Consider the following Auditing Insight “Audit Quality.”
1
“The investors duped by the Theranos fraud never asked for one important thing,” MarketWatch, March 19, 2018
(online source).
2
“Elizabeth Holmes Found Guilty on 4 Counts of Fraud, Conspiracy in Split Verdict,” MarketWatch, January 3, 2022
(online source).
Chapter 1 Auditing and Assurance Services 3
AUDITING INSIGHT
Audit Quality
In November 2021, Ernst & Young (EY) published its report on audit
quality for 2021. In the report, the firm’s leaders affirmed their commitment to audit quality through continuous improvement of their
audit process and a strong focus on their quality control system.
They also firmly embraced their role to serve the public interest and
acknowledged their critically important responsibility to the investing public for instilling confidence in the capital markets. The report
highlights EY’s key areas of focus to drive the firm’s audit quality
efforts, which include full implementation of their innovative digital
audit methodology, an enhanced focus on staff training and project
management skills, along with reinforcing the importance of independence and professional skepticism. The report also specifically
discussed the enhancement of the firm’s use of data and analytics as
a way to manage the firm’s focus on risks. The report is a clear indication to students that quality matters more than anything else in their
future work as auditing professionals.
Source: Our Commitment to Audit Quality: Information for Audit Committees,
Investors and other Stakeholders, Ernst & Young LLP, November 2021.
Before we think about audit quality any further, we must first explain the vital role that
financial statement auditors play in supplying key decision makers with useful, understandable, and timely information. When you have a better understanding of why auditing is so critical to help ensure the liquidity of the world’s capital markets, we will then
explore in detail the process auditors take to help ensure that audit quality is achieved.
Because many of you are likely planning to enter the public accounting profession and
work as an auditor, we hope that you will work hard to acquire this knowledge so that you
may do your part in playing a key role in maintaining the public’s confidence in both the
auditing profession and the capital markets.
Information Risk in a Big Data World
All businesses make a countless number of decisions each and every day. Decisions to
purchase or sell goods or services, lend money, enter into employment agreements, or buy
or sell investments depend in large part on the quality of useful information. These decisions affect business risk, which is the risk that an entity will fail to meet its objectives. For
example, business risk includes the chance a company takes that its own customers will
buy from competitors, that product lines will become obsolete, that taxes will increase,
that government contracts will be lost, or that employees will go on strike. If the company
fails to meet its objectives enough times, the company may ultimately fail. To minimize
these risks and take advantage of other opportunities presented in today’s competitive
business environment, decision makers such as chief executive officers (CEOs) demand
timely, relevant, and reliable information. Similarly, investors and creditors demand highquality information to make educated investing and lending decisions. Information professionals such as accountants and auditors help satisfy this demand.
In recent years, as a result of ever-increasing computing power, the decision-making
environment is rapidly being transformed into one that is characterized by the availability
of significant amounts of data and information. Let’s face it, the amount of information that organizations are seeking to manage is greater than anyone could have possibly
imagined just 10 years ago. You are entering a world where upper management teams are
placing more emphasis than ever on how to make sense of this seemingly ever-increasing
availability of data and information. To help you prepare for this “big data” challenge as
an auditor, we will be drawing upon this theme in multiple chapters throughout this book.
There are at least four environmental conditions in this big data world that increase
user demand for relevant and reliable information:
1. Complexity. Events and transactions in today’s global business environment are
numerous and often very complicated. You may have studied derivative securities and
hedging activities in other accounting courses, but investors and other decision makers
may not have your level of expertise when dealing with these complex transactions.
Furthermore, these decision makers are not trained to collect, compile, and summarize
4 Part One The Contemporary Auditing Environment
the key operating information themselves. They need the services provided by information professionals to help make the information more understandable for their decision processes.
2. Remoteness. Decision makers are usually separated from current and potential business
partners not only by a lack of expertise but also by distance and time. Investors may not
be able to visit distant locations to check up on their investments. Instead, they need to
employ full-time information professionals to do the work they cannot do for themselves.
3. Time sensitivity. Today’s economic environment requires businesses, investors, and
other financial information users to make decisions more rapidly than ever before. The
ability to promptly obtain high-quality information is essential to businesses that want
to remain competitive in our global business environment.
4. Consequences. Decisions can involve a significant investment of resources. The
consequences are so important that reliable information, obtained and verified by
information professionals, is an absolute necessity. Theranos’s aftermath provides a
graphic example of how decisions affect individuals’ (as well as companies’) financial
security and well-being. Consider that back in 2015, as a private company, Theranos
was valued over $9 billion and employed over 700 people. Yet, by September 2018,
Theranos was out of business.3 The following Auditing Insight “More Consequences”
describes another example.
AUDITING INSIGHT
Even More Consequences
Bernard Madoff, a former chairman of the NASDAQ stock market and a
respected Wall Street adviser and broker for 50 years, was arrested after
his sons turned him in for running “a giant Ponzi scheme,” bilking investors out of billions of dollars. Many investors, including actors, investment bankers, politicians, and sports personalities, lost their life savings.
Although some of the world’s most knowledgeable investors fell
prey to the scam, numerous red flags were present for all who were
wise enough to see them. First, Madoff’s fund returned 13–16 percent
per year, every year, no matter how the markets performed. Second, his
stated strategy of buying stocks and related options to hedge downside
risk could not have occurred because the number of options necessary
for such a strategy did not exist. Third, although his firm claimed to
manage billions of dollars, its auditing firm had only three employees,
including a secretary and a 78-year-old accountant who lived in Florida.
Sources: “Fund Fraud Hits Big Names,” The Wall Street Journal, December
13, 2008, pp. A1, A7; “Fees, Even Returns and Auditor All Raised Flags,” The
Wall Street Journal, December 13, 2008, p. A7; “Top Broker Accused of $50
Billion Fraud,” The Wall Street Journal, December 12, 2008, pp. A1, A14;
“Probe Eyes Audit Files, Role of Aide to Madoff,” The Wall Street Journal,
December 23, 2008, pp. A1, A14.
A further complication in effective decision making is the presence of information risk.
Information risk is the probability that the information circulated by a company will be false
or misleading. Decision makers usually obtain their information from companies or organizations they want to conduct business with, provide loans to, or engage with in buying or
selling the company’s stock. Because the primary source of information is the target company itself, an incentive exists for that company’s management to make its business or service appear to be better than it actually is, to put its best foot forward. As a result, preparers
and issuers of financial information (directors, managers, accountants, and other people
employed in a business) might benefit by giving false, misleading, or overly optimistic
information. This potential conflict of interest between information providers and users,
along with financial statement frauds such as the one perpeatrated at Theranos, leads to
a natural skepticism on the part of users. Thus, they depend on information professionals to serve as independent and objective intermediaries who will lend credibility to the
information. This lending of credibility to information is known as providing assurance.
When the assurance is provided for specific assertions made by management, we refer to
the assurance provided as attestation. When the assertions are embodied in a company’s
3
S. Fiegerman and S. O’Brien, “Theranos Employees Struggle to Put Scandal behind Them,” CNN, March 14, 2019
(online source).
Chapter 1 Auditing and Assurance Services 5
financial statements, we refer to the attestation as auditing. More specifically, when their
work is completed, the auditors supply an opinion as to whether the financial statements
and related footnotes are presented fairly in all material respects. The actual compilation
and creation of the financial statements is completed by the company’s accountants.
REVIEW CHECKPOINTS
1.1 What is a business risk?
1.2 What four environmental conditions that increase user demand for relevant and reliable
information?
1.3 What type of risk creates a demand for independent and objective audit services to decision makers like investors and creditors?
AUDITING, ATTESTATION, AND ASSURANCE SERVICES
LO 1-2
Define and contrast
assurance, attestation, and
financial statement auditing
services.
Now that you understand why decision makers need independent information professionals to provide assurance on key information, we further define assurance, attestation and
financial statement auditing services in this section, and explain their roles in today’s
information economy.
Assurance Services
The American Institute of Certified Public Accountants (AICPA) defines an assurance
service as any independent professional service that improves the quality of information,
or its context, for decision makers. The definition is intentionally broad to encompass
a wide range of services that could be performed by CPAs to add value in today’s
ever-changing information economy. In fact, given the market opportunities that
exist in today’s information economy, the AICPA is deliberately seeking to expand
the CPA’s traditional focus on financial statements to include different types of
information, whether it be financial or nonfinancial. Before moving forward, let’s take
a closer look at the major elements and boundaries of the AICPA’s definition for an
assurance service which are
∙ Independence. CPAs want to preserve their attestation and audit reputations and competitive advantages by always preserving integrity and objectivity when performing
any type of assurance service.
∙ Professional services. Virtually all work performed by CPAs (accounting, auditing, data
management, taxation, management, marketing, finance) is defined as a professional
service as long as it involves some element of judgment based on education and
experience.
∙ Improving the quality of information or its context. CPAs can enhance information
quality in a number of different ways. For example, by helping to assure users about
the relevance of information being used in a particular decision-making context. Or,
the CPA can enhance the quality of information by helping to assure users about the
reliability or credibility of the information being used to make decisions. It is important to point out that the emphasis of the definition is on information, which focuses on
CPAs’ traditional value proposition. Also, remember that when considering assurance
services, improving the context of information refers not only to the information itself
but to how the information is being used in a decision-making context.
6 Part One The Contemporary Auditing Environment
∙ For decision makers. The decision makers are the consumers of assurance services,
and they personify the customer focus of different types of professional services being
offered by CPAs. Ultimately, the decision makers are the beneficiaries of the assurance services performed, and depending upon the specific nature of the service, decision makers might be a very small, targeted group (e.g., an upper management team of
a client, a group of creditors) or a large group (e.g., all potential investors).
The following Auditing Insight “Third Party Assurance” indicates how the quality of
information can assist both buyers and sellers in today’s market.
AUDITING INSIGHT
Third Party Assurance
Exhibit 1.1 shows two 1961 Topps Mickey Mantle baseball cards. The
card on the right was offered on eBay with the seller’s representation
that the card was in Near Mint/Mint condition. This representation is a
standard description and is the equivalent of a grade 8 on a standard
10-point scale used in grading the quality of a trading card. The card
was purchased on eBay for $205.50.
Within a week, a second 1961 Topps Mickey Mantle baseball
card was sold on eBay. Again, this card was offered with the seller’s
representation that the card was in Near Mint/Mint condition (card
on the left). The only difference was that this card had been sent to
Professional Sports Authenticator (PSA), a company that verifies the
authenticity and quality of sports items. Note that PSA does not buy
or sell sports merchandise; it acts only as an independent third party
expressing a professional opinion regarding the merchandise in question. This card sold for $585.
The only difference between the two transactions was that the
buyers of the card on the left had more information concerning the
risk inherent in the transaction. Why was the first transaction riskier?
What were the buyers’ concerns? Were the concerns only from intentional misstatements? How did the grading of the card by PSA reduce
these concerns? What are the incentives for PSA to grade the card
EXHIBIT 1.1 Professional Sports Authenticator as
Third-Party Assuror
Courtesy of Allen Blay
accurately? How does the business of PSA relate to the profession of
auditing?
Examples of Assurance Services
Without a doubt, the most common type of assurance services provided by CPAs are
attestation services. In an attestation service, the CPA expresses an opinion about information (or an assertion about that information) that is the responsibility of another party.
While there are many types of attestation services that can be performed, the financial
statement audit is the most common type of attestation service provided by CPAs. When
completing an attestation service, the CPA is auditing the information to enhance its reliability or credibility for decision makers. We will discuss attestation services, including
the financial statement audit, shortly but before moving forward, just a reminder that
assurance services is the most broad categorization of the services typically provided
by CPAs. Keeping that in mind, Exhibit 1.2 depicts the relationships among assurance,
attestation, and auditing services.
In general, assurance services other than attestation and financial statement auditing
services tend to be more customized for use by smaller, targeted groups of decision makers. For example, many companies and organizations have used public accounting firms
to conduct a comprehensive assessment of risks that the enterprise faces. This type of
enterprise risk assessment can then be used to show stakeholders that the management
Chapter 1 Auditing and Assurance Services 7
EXHIBIT 1.2
Assurance Engagements
The Relationships
among Assurance,
Attestation, and Audit
Engagements
Attestation Engagements
Financial Statement
Audit Engagements
team understands and is properly managing the risks that the enterprise faces. We also
present a few more examples of assurance services to illustrate the variety of services that
fall under the assurance service umbrella. Some will look familiar and others may defy
imagination:
∙
∙
∙
∙
∙
Cybersecurity risk assessment and assurance.
XBRL (eXtensible Business Reporting Language) reporting.
Evaluation of investment management policies.
Internal audit outsourcing
Fraud and illegal acts prevention and deterrence.
Be aware, that public accounting firms must pick and choose the services that they wish to
provide to the market based on the expertise that resides within the firm. Nobody believes or
maintains that all public accounting firms will want or be able to provide all types of assurance services. However, as the following Auditing Insight “Can Accounting Complexity Be
Measured Using XBRL” illustrates, there may be an emerging benefit of XBRL reporting
that has yet to be fully realized.
AUDITING INSIGHT
Can Accounting Complexity Be Measured
Using XBRL?
XBRL (also referred to by the SEC as interactive data) is an information
format designed specifically for business reporting. Through the
“tagging” of specific data items (cash, inventory, sales transactions,
etc.), XBRL facilitates the collection, summarization, and reporting
of financial information in a medium that users can easily transform
for their own decision-making purposes. Recently, researchers have
created a measure of reporting complexity for the public companies
and foreign private issuers listed with the SEC that are all required to
use XBRL for SEC filings.
The researchers proposed a new measure of accounting reporting
complexity (ARC) based primarily on the sheer number of items that have
an XBRL tag that were disclosed in the company’s Form 10-K filings.
It turns out that the disclosure of more XBRL tags is difficult because
the accountants need to know more about accounting standards.
And if they do not, they found that there is an increased chance of
mistakes and outright errors by the company. Their analysis of the
data revealed “a greater likelihood of misstatements and material
weakness disclosures, longer audit delay, and higher audit fees”
for the companies that had more accounting reporting complexity as
measured by XBRL.
Sources: R. Hoitash and U. Hoitash, “Measuring Accounting Reporting
Complexity with XBRL” The Accounting Review, January 2018, pp. 259–287;
“Interactive Data to Improve Financial Reporting,” AICPA (online source);
“XBRL US Center for Data Quality,” AICPA (online source).
Before turning our attention to attestation and financial statement auditing services,
it is important to point out the difference between assurance services and consulting
(or advisory services) performed by public accounting firms. In providing advisory services, CPAs use their professional skills and experiences to provide recommendations
to a client’s management team for specific outcomes such as information system design
8 Part One The Contemporary Auditing Environment
and operation; whereas in assurance services, the focus is entirely on the information
that decision makers use. However, like advisory services, assurance services do have
a “customer focus,” and CPAs develop assurance services that add value for customers
(i.e., decision makers). Consider the potential market opportunity that may exist related
to non-fungible tokens, described in the following Auditing Insight “NFTs, an Emerging
Market Opportunity.”
AUDITING INSIGHT
NFTs, an Emerging Market Opportunity
for CPAs?
Non-Fungible Tokens, or NFTs, are becoming very popular. But
what exactly is an NFT? According to Merriam-Webster, an NFT is “a
unique digital identifier that cannot be copied, substituted, or subdivided, that is recorded in a blockchain, and that is used to certify
authenticity and ownership (as of a specific digital asset and specific
rights relating to it).” Put in simple terms, an NFT is a one-of-a-kind
digital asset that allows you to prove that you are the owner of that
digital asset. It is non-fungible because there is no asset you can
trade equally for it.
An NFT, for now, is anything produced digitally, which is mainly
a photo, video, or other type of artwork. However, investors in this
market do see the possibility of the deed to your house or even a used
ticket to a sporting event as being an NFT. The possibilities appear to
be limitless.
So how much money is being spent on NFTs? Prior to 2021, a
total of $94.9 million was spent; in 2021 that number jumped to
$24.9 billion. What are some of the items purchased for these great
sums? Digital art by the artist “Beeple” sold for $6.6 million while
the original code for the World Wide Web sold for $5.4 million. The
big question to ponder, can information assurers add value to this
emerging market?
Sources: The 11 Most Expensive NFTs Sold in 2021 You Need To Know About,
Investor Place (online source); NFTs–Definition, Merriam-Webster (online source);
What is an NFT? Non-Fungible Tokens Explained, Forbes (online source).
Although attestation engagements and financial statement audits are specific
types of assurance engagements and auditors can thus be described more generally as
information assurors, hereafter we will use the term auditor instead of information
assuror because of the specific responsibilities that auditors have under generally
accepted auditing standards (GAAS) as well as under regulatory bodies such as the
SEC and the PCAOB. However, many of the procedures that auditors perform as part
of an audit engagement are similar to those performed as part of other information
assurance engagements. Throughout this book, we will point out these shared procedures when appropriate. For now, let us turn our attention specifically to attestation
engagements.
Attestation Engagements
Many people appreciate the value of auditors’ attestations on historical financial statements, and as a result, they have found other types of information to which certified
public accountants (CPAs) can attest. The AICPA defines an attestation engagement as
a service where a practitioner is requested to examine whether management’s assertion
about some type of subject matter can be relied upon.
Many decision makers have appreciated the value of financial statement auditors’
attestations on historical financial statements, and as a result, they have found other types
of information to which CPAs can attest to. For example, as more and more companies
and organizations seek to demonstrate their efforts related to corporate social responsibility, demand is growing for attestation services related to environmental reporting. When
applying the above definition to this context, you will note that a practitioner (i.e., an
environmental reporting auditor) is engaged to issue a report on assertions about subject
Chapter 1 Auditing and Assurance Services 9
matter (i.e., that the environmental reports are presented in accordance with appropriate
laws and regulations) that are the responsibility of another party (i.e., the management
team). The following Auditing Insight “An Emerging Growth Opportunity for CPAs”,
indicates the significance of this emerging market for public accounting firms.
AUDITING INSIGHT
An Emerging Growth Opportunity for CPAs
The International Financial Reporting Standards (IFRS) Foundation has
announced a new board to oversee disclosures related to measures
of sustainability. The board, which is being called the International
Sustainability Standards Board (ISSB) is being asked to develop disclosure standards to help investors obtain relevant and reliable measures
of sustainability.
Assurance services related to measures of sustainability is part of
a much broader Environmental, Social and Governance (ESG) effort
being promoted by institutional investors, mutual funds, private
equity, and venture capital funds. It is hoped that a “comprehensive
global baseline of high-quality sustainability disclosure standards” will
be developed that will help public accounting firms perform assurance
services that identify the relevant measures. The key is to identify
the set of measures that will meet investors’ information needs and
maximize the value of the entity. Of course, the standards would also
provide a set of criteria that can be used to evaluate the reliability of
the measures reported by the entity and allow public accounting firms
to complete an attestation service.
Sources: “IFRS Foundation Announces International Sustainability Standards
Board, consolidation with CDSB and VRF, and publication of prototype disclosure requirements,” IFRS, November 3, 2021 (online source).
Interestingly, in today’s global business environment, activist shareholders are
increasingly pressuring board of director members and upper management teams regarding issues of social responsibility, the environment, and other matters related to sustainability. As a direct result, more companies than ever are directly integrating their ESG
initiatives into their overall business strategy and then seeking to quantify their efforts
with measurable outputs. These measurements are often being used to help quantify
the company’s performance in areas such as the environment, labor, and basic human
rights. For example, in the following Auditing Insight “Climate Change Does Matter”
students can see one of the world’s largest asset managers, has recently toughened their
standards related to climate change and environmental risk reporting for the corporations in their investment portfolio.
AUDITING INSIGHT
Climate Change Does Matter
The environment and sustainability matter a great deal. That is the clear
message being sent by BlackRock, Inc. Indeed, the firm has made clear
that it intends to take a much tougher stance against corporations that
are unwilling to provide a “full accounting” of the environmental risks
that they are facing in their business operations. In taking these steps,
BlackRock seeks to show the marketplace that they are doing what they
can in relation to climate change. Of course, it is an open question just
how much influence BlackRock can have over companies, but their chief
executive, Laurence Fink, clearly believes that by doing so, he will position his firm to “win over younger investors and millennials who want to
invest money in line with personal values.”
Source: “BlackRock Tightens Standards for Firms On Climate Change,”
The Wall Street Journal, January 15, 2020, p. B1.
Of course, whenever a management team makes an assertion about information, there
is an opportunity to perform an attestation engagement. And, although sustainability is
a prominent example of an emerging attestation engagement completed by CPAs, other
examples of attestation engagements completed by CPAs (discussed in more detail in
Module A) appear in the following box.
10 Part One The Contemporary Auditing Environment
Examples of Attestation Engagements
•
•
•
•
Review Engagements (AT-C Section 210), such as providing limited
assurance about whether the professional becomes aware of any
material modifications that need to be made to the subject matter
being examined.
Agreed-Upon Procedures Engagements (AT-C Section 215), such as
verifying inventory quantities and locations.
Prospective Financial Information (AT-C Section 305), such as analysis of prospective or hypothetical “what-if” financial statements for
some time period in the future.
Reporting on Pro Forma Financial Information (AT-C Section
310), such as retroactively analyzing the effect of a proposed or
•
•
•
consummated transaction on the historical financial statements as if
that transaction had already occurred.
Compliance Attestation (AT-C Section 315), such as ascertaining a
client’s compliance with debt covenants.
Reporting on Controls at a Service Organization (AT-C Section 320),
such as organizations that provide outsourced processes that are
likely to be relevant to the user entities’ internal control over financial
reporting.
Examination of Management’s Discussion and Analysis (AT-C Section 395), prepared pursuant to the rules and regulations of the Securities and Exchange Commission (SEC).
Financial Statement Auditing
The focus of this book is on the financial statement auditing process, which is far and
away the most common type of assurance service provided in today’s market. Many
years ago, the American Accounting Association (AAA) Committee on Basic Auditing
Concepts provided a very useful general definition of auditing as follows:
Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between the assertions and established criteria and communicating the results to
interested users.4
A closer look at the definition reveals several ideas that are important to an auditing
engagement. Auditing is a systematic process. It is a purposeful and logical process and is
based on the discipline of a structured approach to reaching final decisions. It has a logical
starting point, proceeds along established guidelines, and has a logical conclusion. It is
not haphazard, unplanned, or unstructured.
The process involves obtaining and evaluating evidence. Evidence consists of all types
of information that ultimately guide auditors’ decisions and relate to assertions made by
management about economic actions and events. When beginning a financial statement
audit engagement, an independent auditor is provided with financial statements and other
disclosures by management. In doing so, management essentially makes assertions about
the financial statement balances (e.g., that the inventory on the balance sheet really does
exist, that revenue transactions recorded on the income statement really did occur, that
the list of liabilities on the balance sheet is complete, etc.) as well as assertions that the
footnote disclosures are fairly presented. The audit process has been around for a long
time as shown in the following Auditing Insight “A Rich History.”
AUDITING INSIGHT
A Rich History
Although most of the largest public accounting firms trace their roots to
the turn of the 19th century, auditing in the United States has a rich history. When the Pilgrims had a financial dispute with the English investors
who financed their trip, an “auditor” was sent to resolve the difference.
George Washington sent his financial records to the comptroller of the
treasury to be audited before he could be reimbursed for expenditures
he made during the Revolutionary War. One of the first Congress’s
4
actions in 1789 was to set up an auditor to review and certify public
accounts. Even the “modern” concept of an audit committee is not so
modern; the bylaws of the Potomac Company, formed in 1784 to construct locks on the Potomac River to increase commerce, required that
three shareholders annually examine the company’s records.
Source: D. Flesher, G. Previts, and W. Samson, “Auditing in the United States:
A Historical Perspective,” Abacus, John Wiley & Sons. Inc., 2008, pp. 21–39.
American Accounting Association Committee on Basic Auditing Concepts. A Statement of Basic Auditing Concepts. American
Accounting Association, 1973.
Chapter 1 Auditing and Assurance Services 11
Financial statement auditors generally begin their work with a focus on assertions
(explicit representations) made by management about the financial statement amounts
and information disclosed in footnotes, and then they set out to obtain and evaluate
evidence to prove or disprove these assertions or representations made by management. The purpose of obtaining and evaluating evidence is to ascertain the degree
of correspondence between the assertions made by the information provider and the
established criteria. Auditors will ultimately communicate their findings to interested
users. To communicate in an efficient and understandable manner, auditors and users
must have a common basis or an established criteria for measuring and describing the
financial statement information, which is essential for effective communication.
Established criteria may be found in a variety of sources. For independent financial
statement auditors, the criterion is whatever the applicable financial reporting framework
is, whether it is GAAP in the United States or International Financial Reporting Standards (IFRS) in other jurisdictions. In a financial statement audit, the auditor obtains evidence and evaluates whether the financial statements are being presented fairly based on
the evidence obtained. For example, if a company represented that they had $10 million
in a cash account, the auditor would have to verify with the bank that the company did
in fact have $10 million of cash in the bank. Exhibit 1.3 depicts an overview of financial
statement auditing.
The AAA definition already presented is broad and general enough to encompass
external, internal, and even governmental auditing. The more specific viewpoint of external auditors in public accounting practice is reflected in the following statement about the
financial statement audit made by the AICPA the public accounting community’s professional association:
The purpose of an audit is to provide financial statement users with an opinion by the
auditor on whether the financial statements are presented fairly, in all material respects, in
accordance with an applicable financial reporting framework, which enhances the degree
of confidence that intended users can place in the financial statements. An audit conducted
in accordance with GAAS and relevant ethical requirements enables the auditor to form
that opinion. (AU-C-100.04)
EXHIBIT 1.3 Overview
Financial
Statement
Users
of Financial Statement
Auditing
Less reliable
• Lenders
• Investors
More reliable
Audited
Financial
Statements
and
Footnotes
Financial
Statements
and
Footnotes
Independent Auditor
• Obtains and evaluates evidence
• Evaluates correspondence
between financial statements
and framework (GAAP, IFRS)
12 Part One The Contemporary Auditing Environment
Auditing in a Big Data Environment
In recent years, the auditing environment has been transformed into an environment that
is characterized by the availability of significant amounts of data and cutting-edge analytical tools. As a direct result, entry-level professionals joining public accounting firms are
being asked to have completed coursework related to the use of data and analytical tools.
The following Auditing Insight “Is there really an “APP” for that?” provides compelling
market support for this statement.
AUDITING INSIGHT
Is there really an “APP” for that?
It has become clear that the skills needed by entry-level auditing professionals must include proficiency in data analytics and technology.
But the need for a digital mindset is hardly limited to entry-level
professionals, and to help in their efforts to upskill all of their professionals, PwC introduced an app that is designed to assess an individual’s digital fluency. Once the assessment is complete, the app then
helps an individual to understand what type of training they need to
close any gaps that might exist in their digital fluency.
There are now 60 different subject areas covered on the app,
including blockchain, artificial intelligence, cybersecurity, and robotics among other topics. In addition, the Digital Fitness App (DFA) is
now available on the App Store and is available for free for anyone to
explore key trends in the digital world and to stay in close touch with
recent updates.
It is now obvious that the world has changed, and as a result,
the set of skills acquired by students must also change to adapt to
the new digital world. Most importantly, while PwC is just one firm,
our conversations with professionals across firms of varying size are
in agreement with the need for a digital mindset to effectively operate in an audit environment characterized by Big Data and advanced
analytical tools.
Sources: Digital Fitness Assessment by PricewaterhouseCoopers LLP,
AppStore, Apple, (online source); Digital Fitness For The World, PwC
(online source).
Among the critical issues for students to consider is how to identify the right set of
data to analyze given a set of facts and circumstances. And, of course, how to present
the analyses of such data in the most compelling format while documenting the results
of their work. In addition, while analytical tools can rely on data sources that are both
internal and external to the client, our current understanding is that entry-level audit
professionals in today’s environment need to first learn how to make the best use of
internal data and information produced by the entity, including system-generated reports
used by the client to execute its internal control activities and produce its financial
statements.
Throughout this book, we will be providing examples of how to make the best use of
such internal client data, which includes an emphasis on always verifying the completeness and accuracy of the underlying data set being used. There is even an entire module
(Module G) of this book that is dedicated to the use of Big Data and advanced analytical
tools in the financial statement audit.
REVIEW CHECKPOINTS
1.4 What are the four major elements of the broad definition of assurance services?
1.5 What is an assurance service engagement?
1.6 What is an attestation engagement?
1.7 In what ways are assurance services similar to attestation services?
1.8 Define and explain financial statement auditing. What would you answer if asked by a communications major on campus, “What do auditors do?”
Chapter 1 Auditing and Assurance Services 13
MANAGEMENT’S FINANCIAL STATEMENT ASSERTIONS
LO 1-3
Describe and define the
assertions that management
makes about the
recognition, measurement,
presentation, and disclosure
of the financial statements
and explain why auditors
use them as the focal point
of the audit.
From your earlier studies, you know that accounting is the process of recording, classifying, and summarizing a company’s transactions into financial statements that will create
assets, liabilities, equities, revenues, expenses, and related disclosures. It is the means of
satisfying users’ demands for financial information that arise from the forces of complexity, remoteness, time sensitivity, and consequences.
Auditing does not include the function of producing financial reports. The function of
financial reporting is to provide statements of financial position (balance sheets), results of
operations (income statements, statements of shareholders’ equity, and statements of comprehensive income), changes in cash flows (statements of cash flows), and accompanying
disclosures to outside decision makers who do not have access to management’s internal
sources of information. A company’s accountants, under the direction of its management
team, perform this function. In fact, auditing standards emphasize that the financial statements are the responsibility of a company’s management. Thus, the financial statements
contain management’s assertions about the transactions and events and related disclosures
that occurred during the period being audited (primarily the income statement, statement
of shareholders’ equity, statement of comprehensive income, statement of cash flows, and
related disclosures), and assertions about the account balances and related disclosures at
the end of the period (primarily the balance sheet, and related disclosures).
As the Auditing Insight “Sarbanes–Oxley and Management’s Responsibility for Financial Reporting” makes clear below, the upper management team at public companies must
certify the correctness of the financial statements and the effectiveness of the internal control system for financial reporting. Given the required focus on internal controls, entrylevel audit professionals are expected to understand the relationship between a company’s
internal control activities and the relevant financial statement assertions about the financial statement account balances. We suggest that as a new auditing professional, a detailed
understanding of this relationship will provide you with the opportunity to immediately
contribute to the audit team. As a result, we are hopeful that this book can provide a foundation of knowledge to help simplify the relationship between internal controls and the financial statements, which is paramount in the post-Sarbanes–Oxley auditing environment.
AUDITING INSIGHT
Sarbanes–Oxley and Management’s
Responsibility for Financial Reporting
Congress passed the Sarbanes–Oxley Act in 2002 in an attempt
to address a number of weaknesses found in corporate financial
reporting as a result of the frauds at companies such as WorldCom
and Enron. Although the preparation of the financial statements
has always been the responsibility of management, Sarbanes–
Oxley has enhanced the disclosure provisions to create a heightened sense of accountability. One of its most important provisions
(Section 302) states that key company officials must certify the
financial statements. Certification means that the company’s chief
executive officer and chief financial officer must sign a statement
indicating:
1. They have read the financial statements.
2. They are not aware of any false or misleading statements (or any
key omitted disclosures).
3. They believe that the financial statements present an accurate picture of the company’s financial condition.
Management must also make assertions regarding the effectiveness of the company’s internal controls over financial reporting.
In addition, the auditors are required to issue an attestation report
(Section 404) on the system of internal controls to provide assurance
that the system of internal controls over financial reporting has been
designed and is operating effectively.
Source: U.S. Congress, Sarbanes–Oxley Act of 2002, Pub. L. No. 107-204,
116 Stat. 745, 2002.
When planning the audit engagement, auditors use management’s assertions to assess
external financial reporting risks by determining the different types of misstatements that
could occur for each of the relevant management assertions identified and then develop
auditing procedures that are appropriate in the circumstances. The auditing procedures
14 Part One The Contemporary Auditing Environment
are completed to provide the evidence necessary to persuade the auditor that there is no
material misstatement related to each of the relevant assertions. Once the auditor is satisfied that the evidence has supported each of the relevant assertions, the auditor issues
a report to provide assurance to financial statement users that the financial statements
are free of material misstatement in accordance with generally accepted accounting principles. As an auditor, you must keep in mind the importance of understanding management’s financial statement assertions and always remember that you are serving the entire
public interest, including stakeholders such as bankers, investors, and employees when
ultimately reporting that the financial statements are free of material misstatement.
APOLLO SHOES
The Company
Throughout this book, we will use Apollo Shoes, Inc. (the “Company”)
as a comprehensive case example to help illustrate important auditing
concepts. The Company is a distributor of athletic shoes. The Company’s products are shipped to large and small retail outlets in a six-state
area. The Company operates from a large office, which includes a
warehouse in the Shoetown, Maine, area. In this chapter, we will illustrate the financial statement assertions using Apollo Shoes.
When studying and learning about the assertions, a student of auditing must always
remember that each assertion gives rise to a question that can be answered with audit
evidence. Exhibit 1.4 provides a list of all of management’s financial statement assertions
and some of the key questions that the audit team must address, with evidence, about
each assertion. Note that column 1 in Exhibit 1.4 denotes the assertions currently identified by the PCAOB for public company audits.5 The PCAOB auditing standards do allow
auditors to use different management assertions at their discretion, provided that the
assertions cover the pertinent risks in each significant account. In that spirit, the Auditing
Standards Board (ASB)6 provides an additional set of management assertions (columns 2
and 3 in Exhibit 1.4). You will note that the ASB set of assertions, while largely in alignment with the PCAOB assertions, does provide greater detail and clarity for students of
auditing to conceptualize. The key questions (column 4) indicate how each of these assertions must be thought about when evaluating specific aspects of management’s financial
statements and disclosures. Each of the assertions is defined and described in detail in
the following sections, organized along the lines of the PCAOB assertions identified in
column 1, with the aligned ASB assertion(s) following in parentheses.
Existence or Occurrence (Existence, Occurrence, Cutoff)
The numbers listed on the financial statements have no meaning to financial statement
users unless the numbers faithfully represent the actual transactions, assets, and liabilities
of the company. Existence asserts that each of the balance sheet and income statement
balances actually exist. Occurrence asserts that each of the income statement events and
transactions actually did occur in the proper period. As a general rule, the occurrence
assertion relates to events, transactions, presentations, and footnote disclosures (as indicated in columns 2 of Exhibit 1.4), and the existence assertion relates to account balances and footnote disclosures (as indicated in column 3). Therefore, auditors must test
whether the balance sheet amounts reported as assets, liabilities, and equities actually
exist. To test the existence assertion, auditors typically verify cash with banks and count
5
The PCAOB is a nonprofit corporation established by Congress to oversee the audits of public companies. The PCAOB is discussed
in more detail in Chapter 2.
6
The ASB was established by the profession to issue auditing standards. Standards issued by the ASB apply to audits of private
companies. The ASB is discussed in more detail in Chapter 2.
Chapter 1 Auditing and Assurance Services 15
EXHIBIT 1.4 Management Assertions
ASB Assertions
(1)
(2)
(3)
(4)
PCAOB Assertions
Assertions about
Classes of Transactions
and Events, and
Related Disclosures
Assertions
about Account
Balances
and Related
Disclosures
Key Questions
Existence
Do the assets listed really exist?
Existence or occurrence
Occurrence
Did the transactions really occur?
Cutoff
Did the recorded sales transactions occur in the period?
Completeness
Completeness
Completeness
Were all transactions recorded on the income statement?
Cutoff
Valuation or
allocation
Are transactions included in the proper period?
Accuracy,
valuation, and
allocation
Accuracy
Rights and obligations
Presentation and
disclosure
Are all accounts recorded on the balance sheet?
Are the balance sheet accounts valued correctly?
Are the transactions accurately recorded?
Rights and
obligations
Does the company really own the assets?
Rights and obligations
Are all legal responsibilities to pay the liabilities
identified?
Classification
Were all transactions recorded in the correct
accounts?
Presentation
Presentation
Are the disclosures understandable to users?
Are all required footnote disclosures included?
the physical inventory, verify accounts receivables and insurance policies with customers, and perform other procedures to obtain evidence whether management’s assertion is
in fact supported. Similarly, management asserts that each of the revenue and expense
transactions summarized on the income statement or disclosed in the financial statement
footnotes really did occur during the period being audited. To test the occurrence and the
cutoff assertions, auditors complete procedures to ensure that the reported sales transactions really did occur and were not created to fraudulently inflate the company’s profits.
APOLLO SHOES
Existence or Occurrence
On Apollo Shoes, management would assert that their assets or liabilities all exist as of December 31. For example, management asserts
that its cash on the balance sheet really does exist. In addition,
management asserts that each revenue transaction on the income
statement actually did occur.
Completeness (Completeness, Cutoff)
In the financial statements, management asserts that all transactions, events, assets, liabilities, and equities that should have been recorded have been recorded. In addition,
management asserts that all disclosures that should have been included in the footnotes
have been presented. Thus, auditors’ specific objectives include obtaining evidence
16 Part One The Contemporary Auditing Environment
to determine whether, for example, all inventory is included, all accounts payable are
included, all notes payable are included, all expenses are recorded, and so forth. A verbal or written management representation saying that all transactions are included in the
accounts is not considered a sufficient basis for deciding whether the completeness assertion is true. Auditors need to obtain persuasive evidence about completeness.
Cutoff is a more detailed expression of the completeness assertion. Cutoff refers to
accounting for revenue, expense, and other transactions in the proper period (neither
postponing some recordings to the next period nor accelerating next-period transactions
into the current-year accounts). Assuming a calender year-end, simple cutoff errors can
occur when (1) a company records late December sales invoices for goods not actually
shipped until early January; (2) a company records cash receipts through the end of the
week (e.g., Friday, January 4) when the last batch of receipts for the year should have
been processed on December 31; (3) a company fails to record accruals for expenses
incurred but not yet paid, thus understating both expenses and liabilities; (4) a company
fails to record purchases of materials shipped free on board (FOB) shipping point but
not yet received and, therefore, not included in the ending inventory, thus understating
both inventory and accounts payable; and (5) a company fails to accrue unbilled revenue
through the fiscal year-end for customers on a cycle billing system, thus understating both
revenue and accounts receivable. In auditor’s jargon, the cutoff date generally refers to the
client’s year-end balance sheet date.
APOLLO SHOES
Completeness
On Apollo Shoes, management would assert that their assets or liabilities were complete as of December 31. For example, management
asserts that its accounts payable on the balance sheet includes all
amounts currently payable. In addition, management would assert
that all expenses that should be included on the income statement
actually were included.
Valuation and Allocation (Accuracy, Valuation, and Allocation)
In the financial statements, management asserts that the transactions and events have
been recorded accurately and that the assets, liabilities, and equities listed on the balance
sheet have been valued in accordance with GAAP (or IFRS). The audit objective related
to valuation and allocation is to determine whether proper values have been assigned to
assets, liabilities, and equities. Allocation refers to the appropriate percentage of an asset
or liability balance being recorded on the income statement in accordance with GAAP
(or IFRS). For example, has the proper depreciation expense been calculated for each
fixed asset amount? Accuracy refers to the appropriate recording of the transactions at
the correct amount. Auditors obtain evidence about specific valuations and mathematical
accuracy by comparing vendors’ invoices to inventory prices, obtaining lower-of-costor-market data, evaluating collectability of receivables, recalculating depreciation schedules, and so forth. Many valuation, accuracy, and allocation decisions amount to reaching
conclusions about the proper application of GAAP (or IFRS). For example, due to the
complexity in the accounting standards related to fair value (i.e., ASC Topic 820), there
has been an increased focus on the valuation assertion by auditors.
APOLLO SHOES
Valuation and Allocation
On Apollo Shoes, management would assert that their assets or
liabilities were valued in accordance with GAAP as of December
31. For example, management asserts that its accounts receivable
balance, net of the allowance for doubtful accounts, was stated at
the amount they actually expect to collect. In addition, management
would assert that depreciation expense on the income statement
reflects the appropriate allocation of fixed assets to the period of
benefit under GAAP.
Chapter 1 Auditing and Assurance Services 17
Rights and Obligations (Rights and Obligations)
In the financial statements, management asserts that they have ownership rights for all
amounts reported as assets on the company’s balance sheet and that the amounts reported
as liabilities represent the company’s own obligations. In simpler terms, the objective for
an auditor is to obtain evidence that the assets are really owned and that the liabilities
are really owed by the company being audited. You should be careful about ownership,
however, because the assertion extends to include assets for which a company may not
actually hold title. For example, an auditor will have a specific objective of obtaining
evidence about the amounts capitalized for leased property. Likewise, owing includes
accounting liabilities a company may not yet be legally obligated to pay. For example, an
auditor would have to obtain evidence about the estimated liability for product warranties. The auditor also has an obligation to ensure that the details of the company’s obligations are properly disclosed in the footnotes to the financial statements.
APOLLO SHOES
Rights and Obligations
On Apollo Shoes, management would assert that they really do own
and have the rights to the assets listed on the balance sheet, and that
they really are obliged to pay the amount listed on the balance sheet
for liabilities as of December 31. For example, management asserts
that it really owns its inventory of shoes. In addition, management
asserts that it really does owe the amount listed for accrued expenses.
Presentation and Disclosure (Classification, Presentation)
In the financial statements, management asserts that all transactions and events have been
presented correctly in accordance with GAAP (or IFRS) and that all relevant information
has been disclosed to financial statement users, usually in the footnotes to the financial
statements. This assertion embodies several different components. First, disclosures must
be relevant, reliable, understandable, and transparent to financial statement users. In addition, auditors will test to make sure that all the proper disclosures have been made in
accordance with GAAP (or IFRS). To complete this step, auditors will often use a disclosure checklist that highlights all the disclosures that should be made for a particular entity.
Second, transactions must be classified in the correct accounts (e.g., proper classification of transactions as assets or expenses). To test this assertion, auditors perform audit
procedures such as analyzing repair and maintenance expenses to ensure that they should
in fact have been expensed rather than capitalized. Similarly, auditors will test from the
opposite direction, examining additions to buildings and equipment to ensure that transactions that should have been expensed were not in fact capitalized in error (or fraud).
Third, to be useful to decision makers, information must be understandable. Statement of Financial Accounting Concepts (SFAC) No. 2, “Qualitative Characteristics of
Accounting Information,” defines understandability as “the quality of information that
enables users to perceive its significance.” The responsibility levied on auditors is to
make sure that the financial statements are “transparent.” In other words, investors should
be able to understand how the company is doing by reading its financial statements and
footnotes and should not have to rely on financial experts or lawyers to help them figure
out what the fine print is saying. Another way to regard this assertion is to ask whether
the disclosures have been written in plain English.
APOLLO SHOES
Presentation and Disclosure
On Apollo Shoes, management would assert that they have completely and accurately presented and disclosed all of their footnotes.
For example, management asserts that its income tax footnote
disclosure is complete and accurately shows the breakdown of current and deferred income taxes.
18 Part One The Contemporary Auditing Environment
Importance of Assertions
On each audit engagement, the auditor must identify each significant account or disclosure
in the financial statements. An account or disclosure is significant if there is a reasonable
possibility that the account or disclosure could contain a misstatement that is material.
Once the significant accounts and disclosures have been identified, the auditor must then
consider the relevance of each financial statement assertion, one at a time. An assertion is
relevant, if there is a “reasonable possibility” that a material misstatement exists related to
that assertion for the significant account being audited. As a result, the relevance of a particular assertion is entirely dependent on the facts and circumstances on the audit engagement. For example, valuation may not be a relevant assertion for the cash account unless
foreign currency translation is involved; however, the existence of cash is always relevant.
The financial statement assertions are important and at times can be difficult to
comprehend. A student of auditing must remember that the key questions that must
be answered about each assertion become the focal points for the audit procedures to
be performed. In other words, audit procedures are the means to answer the key questions posed by management’s financial statement assertions. When evidence-gathering
audit procedures are specified, you need to be able to relate the evidence produced
by each procedure to one or more specific assertions. In essence, the secret to writing and reviewing a list of audit procedures is to ask, “Which assertion(s) does this
procedure produce evidence about?” Then ask, “Does the list of procedures (the audit
plan) cover all the assertions?” Exhibit 1.5 illustrates how the assertions relate to the
financial statements.
Although standards-setting bodies such as the PCAOB and ASB try to neatly categorize transactions, balances, and disclosures according to the different assertions, the real
world is seldom as orderly. For example, although cutoff procedures provide evidence
about completeness, they also provide evidence about valuation and occurrence. Prematurely recording sales transactions inflates revenue and/or asset values because the transaction did not occur by the income statement date. Similarly, if a cutoff test shows a delay
in recording a liability, the liability is not only incomplete but undervalued as well. Thus,
errors in financial statements may affect multiple management assertions.
REVIEW CHECKPOINTS
1.9 What is the difference between financial statement auditing and financial accounting?
1.10List and briefly explain each of the Auditing Standards Board’s (ASB) management assertions. List
at least one key question that auditors must answer with evidence related to each management
assertion.
1.11Why is the ASB’s set of management assertions important to auditors? Do these assertions differ
from those included in PCAOB standards? If so, how are they different?
PROFESSIONAL SKEPTICISM
LO 1-4
Define professional
skepticism and explain its
key characteristics.
Trust, but Verify
A “signature phrase” used by Ronald Reagan during his
term as president of the United States (1980-1988).
Professional skepticism is defined in the professional auditing standards as having an atti-
tude that “includes a questioning mind and a critical assessment of evidence.” Essentially,
Chapter 1 Auditing and Assurance Services 19
EXHIBIT 1.5 Management Assertions and Their Relationship to the Financial Statements
STATEMENT OF FINANCIAL CONDITION
APOLLO SHOES INC.
in thousands
As of December 31
Assets
Cash
Accounts Receivable (Net of Allowances of $1,263 and 210,
respectively) (Note 3)
Inventory (Note 4)
Prepaid Expenses
Current Assets
Property, Plant, and Equipment (Note 5)
Less Accumulated Depreciation
Investments (Note 6)
Other Assets
Total Assets
Liabilities and Shareholders’ Equity
Accounts Payable and Accrued Expenses
Short-Term Liabilities (Note 7)
Current Liabilities
Long-Term Debt (Note 7)
Total Liabilities
Common Stock
Additional Paid-in Capital
Retained Earnings
Total Shareholders’ Equity
Total Liabilities and Shareholders’ Equity
The accompanying notes are an integral part of the consolidated
financial statements.
2023
2022
$3,245
15,I48
$3,509
2,738
15,813
951
$35,157
1,174
(164)
$1,010
613
14
$36,794
13,823
352
$20,422
300
(31)
$269
613
0
$21,304
$4,675
10,000
$14,675
0
$14,675
8,105
7,743
6,271
$22,119
$36,794
$3,556
0
3,556
0
3,556
8,105
7,743
1,900
$17,748
$21,304
Occurrence—Did these sales transactions really take place?
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
APOLLO SHOES, INC.
Existence—Does this cash really exist?
Rights and Obligations—Does the company really own
this inventory?
Valuation or Allocation—Are these investments properly
valued?
Completeness—Does the accounts payable and accrued
expenses balance include all amounts owed?
STATEMENTS OF INCOME
APOLLO SHOES INC.
in thousands (except per share data)
For year ended December 31,
Net Sales (Note 2)
Cost of Sales
Gross Profit
Selling, General and Administrative Expenses
Interest Expense (Note 7)
Other Expense (Income)
Earnings from Continuing Operations
Before Taxes
Income Tax Expense (Note 10)
Earnings from Continuing Operations
Discontinued Operations, Net of tax benefit
Extraordinary Item, Net of tax benefit (Note 11)
Net Income
2023
2022
$240,575
$141,569
$99,006
$71,998
$875
($204)
$236,299
$120,880
$115,419
$61,949
0
($1,210)
$26,337
$10,271
$16,066
$54,680
$21,634
$33,046
($31,301)
($11,695)
$4,371
$1,745
Earnings Per Common Share
From Continuing Operations
Other
$1.98
($1.44)
$4.08
($3.86)
Net Income
$0.54
$0.22
Marketable Securities Investments are valued using the market value method for investments of less
than 20%, and by the equity method for investments greater than 20% but less than 50%.
Weighted shares of common stock outstanding
8,105
8,105
Cash equivalents Cash equivalents are defined as highly liquid investments with original maturities of
three months or less at date of purchase.
The accompanying notes are an integral part of the consolidated
financial statements.
1. Summary of Significant Accounting Policies
Business activity The Company develops and markets technologically superior podiatric athletic
products under various trademarks, including SIREN, SPOTLIGHT, and SPEAKERSHOE.
Inventory valuation Inventories are stated at the lower of First-in, First-out (FIFO) or market.
Property and equipment and depreciation Property and equipment are stated at cost. The Company
uses the straight-line method of depreciation for all additions to property, plant, and equipment.
Intangibles Intangibles are amortized on the straight-line method over periods benefited.
Net Sales Sales for 2023 and 2022 are presented net of sales returns and allowances of $4.5 million,
and $0.9 million, respectively, and net of warranty expenses of $ 1.1 million, and $0.9 million, respectively.
Presentation and Disclosure—Are these disclosures
understandable? Has everything been disclosed that
should be?
Income taxes Deferred income taxes are provided for the tax effects of timing differences in reporting
the results of operations for financial statements and income tax purposes, and relate principally to
valuation reserves for accounts receivable and inventory, accelerated depreciation and unearned
compensation.
Net income per common share Net income per common share is computed based on the weighted
average number of common and common equivalent shares outstanding for the period.
Reclassification Certain amounts have been reclassified to conform to the 2022 presentation.
2. Significant Customers
Approximately 15%, and 11% of sales are to one customer for years ended December 31, 2023 and 2022,
respectively.
it is an auditor’s responsibility to not accept management assertions without corroboration. Stated differently, an auditor must ask management to “prove” each of the relevant
assertions with documentary evidence. The possibility of errors and fraud in financial
reports highlights the following basic premise, which underlies the importance of professional skepticism: A potential conflict of interest always exists between the auditors and
the management of the company being audited. This potential conflict arises because
management wants to present the company’s financial condition in the best possible light
whereas auditors must ensure that the information about the company’s financial condition is “presented fairly.” The following Auditing Insight “Auditors Must Be Skeptical”
illustrates why skepticism is needed.
20 Part One The Contemporary Auditing Environment
AUDITING INSIGHT
Auditors Must Be Skeptical?
Evergrande Group, the second largest property developer in China
with more than 1,300 projects in over 280 cities, received a clean
bill of health from its auditors, PricewaterhouseCoopers (PwC),on its
2020 financial statements. But should they have received a goingconcern issuance instead? The obvious question is, were the auditors
skeptical enough of the issues the company was facing.
Evergrande is a company with significant debt; it has over $300
billion in total liabilities, including $88.5 billion in debt. In fact, in early
December of 2021, Evergrande missed its interest payment of $1.2
billion to international investors, causing the ratings company Fitch to
declare Evergrande in default. Further, Evergrande is being forced to
sell undeveloped land in Hong Kong that is used to secure debt held
by a U.S. debt holder. Consider that all of this has occurred in less than
a year of PwC’s March 31, 2021 audit report. Perhaps a little more
skepticism was warranted?
Sources: “Evergrande to push ahead with sale of Hong Kong land after
receiver appointment-source,” Nasdaq, February 4 2022 (online source);
“Evergrande: China property giant misses debt deadline,” BBC, December 9,
2021 (online source); “China Evergrande Auditor Gave Clean Bill of Health
Despite Debt,” Wall Street Journal Online, September 24, 2021 (online source).
With full awareness of this potential conflict of interest, auditors must always remain
professionally skeptical in their relationships with management, but not adversarial or
confrontational. Nevertheless, knowing that a potential conflict of interest always exists
causes auditors to perform procedures to search for errors and frauds that could have a
material effect on the financial statements. And even though the vast majority of audits
do not contain fraud, auditors have no choice but to exercise professional skepticism at
all times and on all audits because of misdeeds perpetrated by just a few people in a
few companies. The professional standards emphasize the importance of maintaining and
then applying an attitude of professional skepticism throughout the entire audit process.
Auditing firms have long recognized the importance of exercising professional skepticism when making professional judgments. In fact, as illustrated in the following Auditing
Insight, “Overcoming Judgment Biases,” firms have increasingly stressed the importance
of being skeptical when evaluating documentary evidence. You can definitely expect to
encounter difficult economic transactions as an auditor. When auditors encounter a difficult transaction, they must take the time to fully understand the economic substance of
that transaction and then critically evaluate, with skepticism, the evidence provided by
the client to justify its accounting treatment. No shortcuts are allowed. Rather, auditors
are required to be unbiased and objective when making their professional judgments.
AUDITING INSIGHT
Overcoming Judgment Biases
Judgment and decision-making researchers in auditing have long
known about common biases that can interfere with or obstruct auditors from making excellent professional judgments. One example is
the anchoring bias, which recognizes the possibility that an auditor
might “anchor” on a number provided by a client manager (e.g., an
estimate for the allowance for doubtful accounts) and then have difficulty adjusting to the economically correct amount. In its monograph,
entitled “Elevating Professional Judgment in Accounting and Auditing,” KPMG outlines a professional judgment framework designed to
help auditors mitigate professional judgment biases like the anchoring
bias. In order to do so, auditors must first be aware of the possibility
that these biases might interfere with their professional judgment.
Beyond awareness, the monograph argues that auditors must follow
a disciplined process that includes (1) clarifying the issues and objectives, (2) considering the possible alternatives, (3) gathering and evaluating the relevant evidence, (4) reaching an audit conclusion, and (5)
carefully documenting their rationale for the professional judgment
reached. And, perhaps most importantly, the monograph emphasizes the importance of an auditor exercising professional skepticism
throughout the entire process.
Source: “Elevating Professional Judgment in Accounting and Auditing: The
KPMG Professional Judgment Framework,” Montvale, NJ, KMPG, 2011.
Persuading a skeptical auditor is not impossible, just somewhat more difficult than
persuading a normal person in an everyday context. Skepticism is a manifestation of
objectivity, holding no special concern for preconceived conclusions on any side of an
issue. In fact, the auditor should not care about the impact that an economic transaction
Chapter 1 Auditing and Assurance Services 21
has on the “bottom line” of a company, only that the accounting rules were followed
and were properly applied and that the financial statements are appropriate for the user’s
needs. Skepticism is not being cynical, hypercritical, or scornful. The properly skeptical
auditor asks questions such as the following: (1) What do I need to know? (2) How well
do I know it? (3) Does it make sense? and (4) What could go wrong?
Auditors understand that receiving explanations from an entity’s management is merely
the first step in the professional judgment process, not the last. Auditors must listen to the
explanation, and then always test it by examining sufficient competent audit evidence.
The familiar phrase “healthy skepticism” should be viewed as a show-me attitude, not a
predisposition to accepting unsubstantiated explanations. Auditors must gather the evidence needed, uncover all the implications from the evidence, and then arrive at the most
appropriate and supportable conclusion. Time pressure to complete a financial statement
audit engagement is no excuse for failing to exercise professional skepticism. Too many
auditors have gotten themselves into trouble by accepting a manager’s glib explanation
and stopping too early in an investigation without seeking corroborating evidence.
AUDITING INSIGHT
Professional Skepticism
In its Staff Audit Practice Alert about professional skepticism, the PCAOB
expressed serious concern about “whether auditors consistently and
diligently apply professional skepticism.” The alert recognizes that
there are a number of factors that could “impede” the application of
professional skepticism but stresses the importance of taking whatever actions are necessary to make sure that professional skepticism is
applied in an appropriate manner throughout the audit process.
Questions
THE HURTT SKEPTICISM SCALE
How skeptical are you? Answer the following 30 questions to find out.
As a benchmark, business students typically fall between 90 to 150
points; auditors score much higher.
Strongly
Disagree
Strongly
Agree
1. I often accept other people’s explanations without further thought.
1
2
3
4
5
6
2. I feel good about myself.
1
2
3
4
5
6
3. I wait to decide on issues until I can get more information.
1
2
3
4
5
6
4. The prospect of learning excites me.
1
2
3
4
5
6
5. I am interested in what causes people to behave the way that they do.
1
2
3
4
5
6
6. I am confident of my abilities.
1
2
3
4
5
6
7. I often reject statements unless I have proof that they are true.
1
2
3
4
5
6
8. Discovering new information is fun.
1
2
3
4
5
6
9. I take my time when making decisions.
1
2
3
4
5
6
10. I tend to immediately accept what other people tell me.
1
2
3
4
5
6
11. Other people’s behavior does not interest me.
1
2
3
4
5
6
12. I am self-assured.
1
2
3
4
5
6
13. My friends tell me that I usually question things that I see or hear.
1
2
3
4
5
6
14. I like to understand the reason for other people’s behavior.
1
2
3
4
5
6
15. I think that learning is exciting.
1
2
3
4
5
6
16. I usually accept things I see, read, or hear at face value.
1
2
3
4
5
6
17. I do not feel sure of myself.
1
2
3
4
5
6
18. I usually notice inconsistencies in explanations.
1
2
3
4
5
6
(continued)
22 Part One The Contemporary Auditing Environment
AUDITING INSIGHT
(concluded)
Strongly
Disagree
Questions
Strongly
Agree
19. Most often I agree with what the others in my group think.
1
2
3
4
5
6
20. I dislike having to make decisions quickly.
1
2
3
4
5
6
21. I have confidence in myself.
1
2
3
4
5
6
22. I do not like to decide until I’ve looked at all of the readily available information.
1
2
3
4
5
6
23. I like searching for knowledge.
1
2
3
4
5
6
24. I frequently question things that I see or hear.
1
2
3
4
5
6
25. It is easy for other people to convince me.
1
2
3
4
5
6
26. I seldom consider why people behave in a certain way.
1
2
3
4
5
6
27. I like to ensure that I’ve considered most available information before making a decision.
1
2
3
4
5
6
28. I enjoy trying to determine if what I read or hear is true.
1
2
3
4
5
6
29. I relish learning.
1
2
3
4
5
6
30. The actions people take and the reasons for those actions are fascinating.
1
2
3
4
5
6
Sources: K. Hurtt, “Development of a Scale to Measure Professional Skepticism,” Auditing: A Journal of Practice & Theory, May 2010, pp. 149–171; Staff Audit Practice Alert No. 10: Maintaining and Applying Professional Skepticism in Audits, Washington, DC, PCAOB, 2012.
Although the SEC places constraints on the common practice of auditors’ joining
public clients that they have previously audited, close relationships often exist between
former colleagues now employed by the client and members of the audit team. In these
cases, the audit team must guard against being too trusting in accepting representations
about the client’s financial statements. Of more concern is the fact that former colleagues
have inside knowledge of the firm’s practices and procedures, knowing where the audit
team will probably look (and where they might not look).
To summarize, due care requires an auditor to be professionally skeptical and question
all material representations made by management (whether written or oral) during the
professional judgment process. Although this attitude must be balanced by maintaining
healthy client relationships, auditors should never assume that management is perfectly
honest. The key lies in auditors’ skeptical attitude toward gathering and evaluating the
evidence necessary to reach supportable conclusions.
REVIEW CHECKPOINT
1.12Why should auditors act as though there is always a potential conflict of interest between the
auditor and the management team of the organization being audited?
PUBLIC ACCOUNTING
LO 1-5
Describe the organization of
public accounting firms and
identify the various services
that they offer.
The practice of public accounting is conducted in thousands of practice units ranging
in size from sole proprietorships (individuals who “hang out a shingle” in front of their
homes) to the largest international firms with thousands of professionals. Furthermore,
many public accounting firms no longer designate themselves as CPA firms. Many of
them describe their businesses and their organizations as professional services firms or
some variation of this term. While Exhibit 1.6 shows an organization for a typical public
Chapter 1 Auditing and Assurance Services 23
EXHIBIT 1.6
Chair and CEO
Public Accounting
Firm Organization
Local Offices
Office Managing
Partner
Tax Services
Auditing and Assurance Services
Partner
Manager
Manager
Advisory Services
Partner
Manager
Senior (in-charge) accountants
Staff accountants (or associates)
Manager
Manager
Manager
Senior (in-charge) accountants
Staff accountants (or associates)
accounting firm, some firms differ in their organization. For example, some have other
departments such as small business advisory and forensic accounting. Other firms may
be organized by industry (e.g., entertainment, oil and gas, health care, financial institutions) to take advantage of firmwide expertise. And still some other firms have different
names for their staff and management positions.
Auditing and Assurance Services
Generally speaking, auditing and assurance services involve adding value (e.g., lending credibility) to information, whether that information is financial or nonfinancial. While financial statement auditing services remain the dominant service area, CPAs have also provided
assurance to vote counts (e.g., the Academy Awards), dollar amounts of prizes that sweepstakes have claimed to award, accuracy of advertisements, investment performance statistics,
and characteristics claimed for computer software programs. Previously, we talked about
the difference between assurance, attestation, and financial statement auditing services. And
although assurance services (separate and distinct from auditing and attestation services)
currently represent a fairly small part of a normal firm’s operating revenues, the AICPA
continues to make an effort to market these additional services to the public and businesses.
Consider the following Auditing Insight “Baseball Hall of Fame.”
AUDITING INSIGHT
Baseball Hall of Fame
For baseball fans, the annual Hall of Fame vote has always been a
source of fun and entertainment which is quite often accompanied
by spirited conversation regarding the criteria that a player needs to
meet to gain admittance into the Hall.
The Baseball Writers’ Association of America is responsible for the
voting and only those writers that maintain 10 consecutive years following a team are eligible to vote. But, do you know who verifies that
eligible voters are properly registered, has signed a code of conduct,
and verifies the actual count of votes? You may have guessed it, one
of the largest audit firms in the world, EY. So, although you might disagree with the final outcome from time to time, you can be assured
that the appropriate process was followed and an accurate count was
conducted each and every year!
Source: “2022 BBWAA Hall of Fame Ballot Features 30 Former Players,”
Baseball Hall of Fame, November 22, 2021 (online source).
At the present time, public accounting firms will use auditing and assurance services
as a revenue category that includes financial statement audit engagements, attestation
engagements, and other assurance engagements. We discuss these services as key examples of auditing and assurance services that public accounting firms offer.
Financial Statement Auditing Services
Most of the large, international accounting (Big Four) firms were founded around the
turn of the 20th century (late 1800s/early 1900s) during the Industrial Revolution as
24 Part One The Contemporary Auditing Environment
European financiers sent representatives (individuals whom we now refer to as auditors)
to check up on their investments (mostly railroads) in the United States. As such, the
primary focus of many large international accounting firms’ practice has been traditional
accounting and auditing services. Audits of traditional financial statements remain the
most frequent type of assurance engagement that public companies (and most large and
medium nonpublic companies) demand. Exhibit 1.7 shows the auditing (and other assurance services) revenues of the Big Four accounting firms based on their 2021 annual
reports. This level of auditing activity usually drops as the size of the public accounting
firm decreases. In other words, smaller firms usually provide more nonaudit and attestation services for their clients.
Nonaudit and Attestation Engagements
Basic accounting and review services are “nonaudit” services, performed frequently for
medium and small businesses and not-for-profit organizations. Small public accounting
firms perform a great deal of this type of nonaudit work. For example, CPAs can perform
a compilation, which consists of preparing financial statements from a client’s books and
records, without performing any evidence-gathering work. They can also perform a review,
in which limited evidence-gathering work is performed but which is narrower in scope than
an audit. CPAs can also attest to the accuracy of management’s discussion and analysis
(MD&A) that accompanies the financial statements in an annual report, an entity’s internal
controls, and hypothetical “what-if” projections relating to mergers or acquisitions.
Tax Services
Local, state, national, and international tax laws are often called “accountant and attorney
full-employment acts.” The laws are complex, and CPAs perform tax planning services
and tax return preparation in the areas of income, gift, estate, property, and other taxation. A large proportion of the practice in small public accounting firms is tax related. Tax
laws change frequently, and tax practitioners must spend considerable time in continuing
education and self-study to keep current. Exhibit 1.7 shows the tax revenues of the Big
Four accounting firms based on their 2021 annual reports. Smaller public accounting
firms tend to conduct more tax consulting engagements and fewer audit engagements.
Regulatory guidance from the PCAOB and AICPA prohibits an accounting firm from
providing auditing services to a public company if the accounting firm provides tax consulting on aggressive interpretations of tax laws or “listed” transactions (those included on the
U.S. Treasury Department’s list of questionable tax strategies), if contingent fees (i.e., fees
depending on a certain outcome) are involved, or if the public accounting firm provides tax
services for key company executives. In all three cases, the regulatory guidance suggests that
auditor independence would be impaired. Providing normal corporate tax return preparation
and advice is permissible as long as the audit committee discusses with the accounting firm
the implications of the tax consulting fees on auditor independence and preapproves the relationship in writing. As a result, this remains a common service area for firms to provide to
their audit clients, but the firm must always maintain its independence and objectivity.
EXHIBIT 1.7 Revenues for the Big Four CPA Firms
Deloitte
EY
KPMG
PwC
Total revenues (in billions)
$50.2
$40.0
$32.1
$45.1
Auditing and assurance services revenues
$10.4
$13.6
$11.4
$17.0
(in billions and as a percent of revenue)
Tax revenues
(in billions and as a percent of revenue)
Advisory services revenues
(in billions and as a percent of revenue)
21%
$ 8.9
18%
$30.9
61%
34%
$10.5
26%
$15.9
40%
36%
$ 7.1
22%
$13.6
42%
38%
$11.1
24%
$17.0
38%
Source: “Deloitte 2021 Total Revenue,” Deloitte LLP, 2021 (online source); “EY 2021 Total Revenue,” Ernst & Young LLP, 2021 (online source); PwC 2021 Total
Revenue,” PricewaterhouseCoopers LLP, 2021 (online source); KPMG 2021 Total Revenue,” KPMG LLP, 2021 (online source).
Chapter 1 Auditing and Assurance Services 25
Advisory Services
Prior to the turn of this century (the 1990s), the largest public accounting firms handled
a great deal of advisory services for their auditing clients. In fact, advisory services provided a great new revenue opportunity for firms and the potential for even more business
appeared at times to be unlimited. Public accounting firms tried to become “one-stop
shopping centers” for clients’ auditing, taxation, and advisory services.
The SEC, the governmental agency which is responsible for investor protection,
expressed reservations as to whether the performance of nonaudit services (such as
advisory) impaired a public accounting firm’s ability to conduct an independent audit.
The SEC’s concern was that the large amount of revenues generated from advisory
services might sway the auditor’s opinion on the company’s financial statements. The
public accounting firms, on the other hand, argued that the provision of advisory services allowed them a closer look at the client’s operations, providing a synergistic,
positive effect on the audit.
In response to the spate of corporate frauds, Congress resolved this difference of
opinion, in part, by passing Sarbanes–Oxley which was seen as a broad accounting and
corporate governance reform measure. Sarbanes–Oxley prohibits public accounting
firms from providing any of the following services to a public audit client: (1) bookkeeping and related services; (2) design or implementation of financial information
systems; (3) appraisal or valuation services; (4) actuarial services; (5) internal audit
outsourcing; (6) management or human resources services; (7) investment or broker/
dealer services; and (8) legal and expert services (unrelated to the audit). As already
stated, public accounting firms may provide general corporate tax return preparation
and advice and other nonprohibited services to public audit clients if the company’s
audit committee has approved them in advance.
To briefly summarize these restrictions, Sarbanes–Oxley prohibits public accounting
firms from performing any consulting or advisory services in which the auditors may
find themselves making managerial decisions or that would result in the firm auditing its
own work (e.g., completing a financial information system implementation for its audit
client). As a result of Sarbanes–Oxley, most of the large firms now provide consulting
only for companies that they do not audit. However, the Big Four firms have still been
able to dramatically increase the size of their advisory services in recent years. As shown
in Exhibit 1.7, firm advisory revenues ranged between 38 and 61 percent of the Big
Four firms’ total revenues in 2021. Of course, public accounting firms are not required
to follow Sarbanes–Oxley guidelines for their non-SEC clients, and in those situations,
firms can provide an array of consulting and advisory services provided they maintain
their independence and objectivity when completing the financial statement audit. In fact,
the following Auditing Insight “Is There Room for Public Accounting Firms?” shows that
public accounting firms may even enter the legal services market.
AUDITING INSIGHT
Is There Room for Public Accounting Firms?
There are some that say it is only a matter of time until the Big 4
public accounting firms become a dominant force in the lucrative
corporate legal services marketplace. A recent research study noted
that “the Big 4 accounting firms have expanded their legal service
arms to historic proportions over the last decade.” And, even though
“most of the Big 4’s revenue from legal services is presently generated outside the U.S.,” it appears to be only a matter of time until
that changes.
In fact, When the American Bar Association passed a resolution in
February 2020 which encouraged state bar associations to look at new
ways to access legal services, there are now some states that are considering allowing non-lawyers to own firms that provide legal services,
which would appear to open the door for accounting firms to enter the
market. Of course, there are very strict regulatory issues to deal with, in
particular, in regards to whether a firm can remain independent if they
are also performing a financial statement audit of a client. But, this line
of service appears to be a promising avenue for growth.
Source: B.E. Brewster, J.H. Grenier D.N. Herda, M.E. Marshall, “Big 4 Firms as
Legal Service Providers: Implications for Audit Practice and Future Research
Directions,” Accounting Horizons, September, 2021, pp. 93–112.
26 Part One The Contemporary Auditing Environment
REVIEW CHECKPOINTS
1.13 What are some examples of assurance services performed on nonfinancial information?
1.14 What are some of the major areas of public accounting services?
OTHER KINDS OF ENGAGEMENTS AND INFORMATION
PROFESSIONALS
LO 1-6
Describe the audits and
auditors in governmental,
internal, and operational
auditing.
The AAA and the AICPA definitions of auditing clearly apply to the independent financial statement auditors who work in public accounting firms. The word audit, however, is
also used in other contexts to describe broader types of work. The variety of engagements
performed by different kinds of information assurors causes some problems with terminology. In this textbook, independent auditor, external auditor, and CPA will refer to
people doing financial statement audit work with public accounting firms. In the internal
and governmental contexts discussed here, auditors are identified as operational auditors, internal auditors, and governmental auditors. Although all of these professionals
are information assurors (and many are certified public accountants), the term CPA in
this book will refer to financial statement auditors engaged in public practice. The following sections provide a brief overview of the work completed by these professionals. In
Module D, we provide a detailed description for each of these areas.
Internal Auditing
The Board of Directors of the Institute of Internal Auditors (IIA) defines internal auditing
and states its objective as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.7
Internal auditors are employed by organizations such as banks, hospitals, city governments, and industrial companies or work for CPA firms that provide internal auditing
services. Internal auditors often perform operational audits. Operational auditing refers to
the study of business operations for the purpose of making recommendations about the
efficient and effective use of resources, effective achievement of business objectives, and
compliance with company policies. The goal of operational auditing is to help managers
discharge their management responsibilities and improve profitability.
Internal auditors also perform audits of financial reports for internal use or limited
external distribution (e.g., reports to regulatory agencies) much like external auditors audit
financial statements distributed to outside users. Thus, some internal auditing work is similar to the auditing described elsewhere in this textbook. In addition, the services provided
by internal auditors include (1) reviews of internal control systems to ensure compliance
with company policies, plans, and procedures; (2) compliance with laws and regulations;
(3) appraisals of the economy and efficiency of operations; and (4) reviews of effectiveness
in achieving program results in comparison to established objectives and goals.
It should be noted that the AICPA defines operational auditing performed by independent CPA firms as a distinct type of management consulting service whose goal is to
help a client improve the use of its capabilities and resources to achieve its objectives. So,
internal auditors consider operational auditing integral to internal auditing and external
auditors define it as a type of assurance service offered by public accounting firms. In fact,
providing these types of internal auditing services continues to be a growing business for
7
Definition of Internal Audit, The Institute of Internal Auditors. May 17, 2019 (online source).
Chapter 1 Auditing and Assurance Services 27
many large CPA firms. However, both the SEC and the PCAOB prohibit CPA firms from
providing internal auditing services to their own public audit clients.
Governmental Auditing
The U.S. Government Accountability Office (GAO) is an accounting, auditing, and
investigating agency of the U.S. Congress, headed by the U.S. Comptroller General. In
one sense, GAO auditors are the highest level of internal auditors for the federal government. Many states have audit agencies similar to the GAO. These agencies answer to state
legislatures and perform the same types of work described in this section for GAO auditors. In another sense, GAO and similar state agencies are really external auditors with
respect to government agencies they audit because they are organizationally independent.
Many government agencies have their own internal auditors and inspectors general. Wellmanaged local governments also have internal audit departments. For example, most federal
agencies (Department of Defense, Department of Human Resources, Department of the Interior), state agencies (education, welfare, controller), and local governments (cities, counties, tax
districts) have internal audit staffs. Governmental and internal auditors have much in common.
The GAO shares with internal auditors the same elements of expanded-scope services. The GAO, however, emphasizes the accountability of public officials for the efficient, economical, and effective use of public funds and other resources. The generally
accepted government auditing standards (GAGAS) define and describe three broad types
of audits that may be performed. They are financial audits, attestation engagements, and
performance audits.
Financial audits include determining whether financial information is presented in accordance with the established and applicable financial reporting framework. There are many
types of attestation engagements, including whether the governmental entity’s internal control system is suitably designed and implemented to achieve the applicable control objectives.
Attestation engagements would also include a compliance audit function applied with
respect to applicable laws and regulations. All government organizations, programs, activities, and functions are created by law, and most are surrounded by regulations that govern
the things they can and cannot do. For example, a program established to provide school
meals to low-income students must comply with regulations about the eligibility of recipients. A compliance audit of such a program involves a study of schools’ policies, procedures, and actual performance in determining eligibility and handing out meal tickets.
Performance audits refer to a wide range of governmental audits that include (1)
economy and efficiency audits and (2) program audits. Governments are concerned about
accountability for the appropriate use of taxpayers’ resources; performance audits are
a means of seeking to improve accountability for the efficient and economical use of
resources and the achievement of program goals. In addition, the program audit helps
determine whether the financial resources being spent are truly helping the government
achieve its stated objectives for a particular program. Performance audits, like internal
auditors’ operational audits, involve studies of the management of government organizations, programs, activities, and functions. Consider the following examples of GAO
engagements.
GAO Engagement Examples
•
•
The Capitol Police Need Clearer Emergency Procedures and a
Comprehensive Security Risk Assessment Process (GAO-22-105001,
February 17, 2022).
Enhanced Data Capabilities, Analysis, Sharing, and Risk Assessments
Needed for Disaster Preparedness (GAO-22-104289, February 02,
2022).
•
•
•
FY 2021 and FY 2020 Consolidated Financial Statements of the U.S.
Government (GAO-22-105122, February 17, 2022).
Challenges Facing DOD in Strategic Competition with China (GAO-22105448, February 15, 2022).
Agencies Need to Assess Adoption of Cybersecurity Guidance (GAO22-105103, February 09, 2022).
28 Part One The Contemporary Auditing Environment
Regulatory Auditors
For the sake of clarity, other kinds of auditors deserve separate mention. The U.S. Internal Revenue Service employs auditors. They take the “economic assertions” of taxable
income made by taxpayers on tax returns and determine their correspondence with the
standards found in the Internal Revenue Code. They also audit for fraud and tax evasion.
Their reports can either certify the correctness of a taxpayer’s return, claim that additional taxes are due, or even show that a refund is due to a taxpayer.
State and federal bank examiners audit banks, savings and loan associations, and other
financial institutions for evidence of solvency and compliance with banking and other
related laws and regulations. As a result of the financial crisis of 2008/2009 and the
resulting Dodd-Frank Act of 2010, these examiners have been quite busy for many years
to help ensure the safety and security of the U.S. banking system.
REVIEW CHECKPOINTS
1.15 What is operational auditing? How does the AICPA view operational auditing?
1.16What are the three broad types of governmental audits described by the GAGAS issued by the GAO?
1.17 Define what is meant by compliance auditing.
1.18 Name some other types of auditors in addition to external, internal, and governmental auditors.
BECOME A PROFESSIONAL AND GET CERTIFIED!
LO 1-7
List and explain the
requirements for becoming
a certified public accountant
(CPA) and other certifications
available to an accounting
professional.
If you plan to begin your career in accounting (which we hope you do since you are reading this book!), you are on your way to being known as an accounting professional. Congratulations! Being part of a profession implies a higher level of societal responsibility. In
order to meet this responsibility, it is absolutely essential that you acquire the knowledge
required to do your job; certification indicates that you have acquired that knowledge. In
that spirit, being certified as a CPA is generally regarded as the highest mark of distinction and is required to practice as a financial statement auditor in the United States. In
Australia, Canada, and the United Kingdom, the chartered accountant (CA) designation
is required to practice as a financial statement auditor. For an information technology (IT)
audit professional, a certified information systems auditor (CISA) is the key mark of distinction. In fact, depending on your area of professional service within public accounting,
a certified fraud examiner (CFE), certified forensic accountant (CFA), certified information systems security professional (CISSP), or even a certified internal auditor (CIA)
certification may be just as important. Outside of public accounting, certification as a
certified management accountant (CMA) or as a certified information technology professional (CITP) may be the most appropriate. Regardless of your career choice, a certification adds credibility that will assist you throughout your entire career.
Education
While education requirements vary across the different certifying organizations, we focus
on the CPA certification in this book because of its importance to financial statement auditors. For the CPA, the specific education requirements vary by state for both having permission to take the CPA examination and for receiving a CPA certificate. As a result, students
must visit the website of their own state’s board of accountancy and search for the exact
regulations that apply in their home state. While you are required to take 150 semester hours
of college education before you receive a CPA certificate, many states now allow you to
take the CPA examination after only 120 semester hours of college education. Still other
certifications (such as the CIA) allow you to take the exam before you have graduated.
Chapter 1 Auditing and Assurance Services 29
In addition to entry-level education requirements, all certifying organizations have regulations about continuing professional education (CPE). Indeed, once certified, accounting professionals obtain CPE hours in a variety of ways: continuing education courses,
in-house training, and even college courses. These types of courses range in length from
one hour to two weeks, depending on the subject. Many CPE providers offer courses
online. If in-house training is not an option, many CPAs obtain their CPE by taking part
in training sessions offered by their home state’s professional accounting organization or
other industry conferences.
Examination
When working as a financial statement auditor, CPAs have a critically important role in
protecting the public interest when they attest to the reliability of a company’s financial
statements. As a result, the profession needs to make sure that only qualified individuals
can become certified and then licensed as CPAs. To do so, the AICPA creates and then
administers the Uniform CPA Examination. When creating the exam, the AICPA works
hard to ensure that the knowledge and skills covered on the exam are aligned with those
that are needed to protect the public interest in current practice. This is an ongoing process.
In fact, just recently, the AICPA and the National Association of State Boards of
Accountancy (NASBA) came together on a joint initiative to redesign the CPA exam to
“reflect changes in the profession and technology, focusing newly licensed CPAs on the
most relevant and useful knowledge and skills.”8 The proposed changes in the CPA exam
are part of the CPA Evolution, a broader initiative to reimagine the CPA licensure model.
The new exam is scheduled to debut in 2024 and is expected to include three new sections, Business Analysis & Reporting (BAR), Information Systems and Controls (ISC)
and Tax Compliance & Planning (TCP).
Although we encourage you to stay in close touch with changes to the CPA exam as
they occur (see www.aicpa.org), at the present time, the CPA exam emphasizes higherorder skills like problem solving, critical thinking, and analytical ability. The exam covers
Auditing and Attestation (AUD), Financial Accounting and Reporting (FAR), Regulation
(REG), and Business Environment and Concepts (BEC). In the required AUD section,
candidates will have four hours to complete 72 multiple-choice questions and eight to
nine task-based simulations. The exam score is equally weighted between the multiplechoice questions and task-based simulations. To help candidates prepare for the exam, the
AICPA has published detailed blueprints for each of the four sections. Each blueprint is
designed to provide clarity about the knowledge content, skills, and types of tasks that
might be tested for each exam. The summary blueprint for the AUD section is provided
in the accompanying table (with rough approximations of weights given to each content
area and skill allocation).9
Content Area Allocation
Ethics, Professional Responsibilities, and General Principles
Assessing Risk and Developing a Planned Response
Performing Further Procedures and Obtaining Evidence
Forming Conclusions and Reporting
Skill Allocation
Evaluation
Analysis
Application
Remembering and Understanding
Weight
15–25%
25–35%
30–40%
10–20%
Weight
5–15%
20–30%
30–40%
25–35%
Source: https://www.aicpa.org/resources/download/learn-what-is-tested-on-the-cpa-exam. Summary
blueprints for REG, FAR, and BEC can also be found at this site.
8
9
Ken, Tysiac. “Content for redesigned CPA exam takes shape,” Journal of Accountancy, AICPA, July 7 2021 (online source).
“Uniform CPA Examination® Auditing and Attestation (AUD),” AICPA, May 31, 2018 (online source).
30 Part One The Contemporary Auditing Environment
Generally speaking, each section of the CPA exam consists of multiple-choice questions and task-based simulations (except for BEC, which also includes graded written
communication). The task-based simulations are short case studies in which you will
be asked to apply your auditing and accounting knowledge. A simulation may involve
identifying a potential problem, electronically researching the topic using a database of
authoritative standards, and reporting your findings. Each section’s exam blueprint is
designed specifically for candidates to help prepare for the exam. Throughout this book,
you will have many opportunities to acquire the knowledge necessary to pass the AUD
section of the exam.
General information about the CPA exam can be obtained from a special site set
up by the AICPA (available at www.aicpa.org). Because qualifications for taking the
CPA examination vary from state to state, you will need to contact your state board of
accountancy for an application or more information. You can find your state board of
accountancy website through the NASBA website (www.nasba.org). Exhibit 1.8 lists the
requirements for the most commonly recognized professional certifications.
Experience
Although not required to sit for a professional exam, experience is required to become
certified. Most states and territories require a person who has attained the education
level and passed the CPA examination to have a period of experience working under a
practicing CPA before awarding a CPA certificate. Experience requirements vary across
states, but most jurisdictions require one to two years of experience. A few states require
that the experience be obtained in a public accounting firm, but most of them accept
experience in other organizations (GAO, internal audit, management accounting, Internal
Revenue Service, and the like) as long as the applicant performs work requiring accounting judgment and is supervised by a competent accountant, preferably a CPA. Other
certifying organizations also have experience requirements.
State Certificate and License
The AICPA does not issue CPA certificates or licenses to practice. Rather, all states and
territories have state accountancy laws and state licensing boards to administer them.
After satisfying state requirements for education and experience, successful candidates
receive their CPA certificate from their state board of accountancy. At the same time,
new CPAs must pay a fee to obtain a state license to practice or work for a CPA firm that
is licensed to practice in their state. Thereafter, state boards of accountancy regulate the
behavior of CPAs under their jurisdiction (enforcing state codes of ethics) and supervise
the continuing education requirements.
After becoming a CPA licensed in one state, a person can obtain a CPA certificate
and license in another state by filing the proper application with the second state board
of accountancy, meeting that state’s requirements, and obtaining another CPA certificate.
Many CPAs hold certificates and licenses in several states. From a global perspective,
individuals must be licensed in each country. Similar to CPAs in the United States,
chartered accountants (CAs) practice in Australia, Canada, Great Britain, and India.
Efforts are currently under way through the AICPA and the National Association of
State Boards of Accountancy (NASBA) to streamline the licensing process so that CPAs
can practice across state lines without having to possess 50 different licenses. Under
the concept of substantial equivalency, as long as the licensing (home) state requires
(1) 150 hours of education, (2) successful completion of the CPA exam, and (3) one year
of experience, a CPA can practice (either in person or electronically) in another substantial equivalency state without having to obtain a license in that state.
Skill Sets and Your Education
The requirements to become certified are rather strenuous, but they may not be enough!
Let us take you on a brief tour of the core competencies listed by the AICPA, the Association of Certified Fraud Examiners (ACFE), the Institute of Internal Auditors (IIA), the
Chapter 1 Auditing and Assurance Services 31
EXHIBIT 1.8 Certification Requirements
Certified Public
Accountant (CPA)
Certified Information
Systems Auditor
Certified Internal
(CISA)
Auditor (CIA)
Certified Fraud
Examiner (CFE)
Certified
Management
Accountant (CMA)
Education Level
Varies by state;
Generally 150 hours.
However, check with
your state board of
accountancy
No specific degree
requirement
Generally,
bachelor’s degree
or its educational
equivalent
Generally,
bachelor’s degree
or its educational
equivalent
Bachelor’s degree,
or pass the CPA,
CFA, CIA or CFE
examination
Experience
Varies by state;
Generally 1-2 years
working under a CPA.
Check with your state
board of accountancy
5 years of
professional
information system
(IS) auditing, control,
or security work
experience for
certification. Some
substitutions and
waivers are possible.
Generally 2 years
of internal auditing
experience or its
equivalent for
certification. May be
less with a Master’s
degree. May be more
without a degree.
2 years of
professional
experience for
certification
2 continuous years
of professional
experience in
management
accounting and/
or financial
management
Exam Coverage
1. Auditing and
attestation (AUD)
2. Financial
accounting and
reporting (FAR)
3. Regulation (REG)
4. Business
environment and
concepts (BEC)
1. The process
1. Essentials of
of auditing
internal auditing
information
2. Practice of internal
systems
auditing
2. Governance and
3. Business
management of IT
knowledge of
internal auditing
3. Information
systems
acquisition,
development, and
implementation
4. Information
systems
operations, and
business resilience
5. Protection of
information assets
1. Fraud prevention
and deterrence
2. Financial
transactions and
fraud schemes
3. Investigation
4. Law
1. Financial
planning,
performance,
and analytics
2. Strategic
financial
management
Test Length
4 parts, 16 hours
1 part, 4 hours (150
mc questions)
3 parts, 6.5 hours
(325 mc questions)
4 parts (2 hours each 2 parts (100 mc
part - 100 questions questions and two
each); 8 total hours
30-minute essays,
each) 8 hours
Passing Score
75%
450 (on an 800-point
scale)
600 (on a 750-point
scale)
75%
360 per part (on a
500-point scale)
Test Dates
On demand
On demand
On demand
Self-administered
On demand during
the months of Jan,
Feb, May, Jun, Sep,
and Oct
Administering Body
American Institute
of Certified Public
Accountants Board of
Examiners
Information Systems
Audit and Control
Association
Institute of Internal
Auditors
Association of
Certified Fraud
Examiners
Institute of Certified
Management
Accountants
Website
www.aicpa.org
www.isaca.org
www.theiia.org
www.acfe.com
www.imanet.org
32 Part One The Contemporary Auditing Environment
Institute of Management Accountants (IMA), the Information Systems Audit and Control
Association (ISACA), and other guidance-providing groups: mathematics, international
culture, psychology, economics, statistics, political science, inductive and deductive reasoning, ethics, group dynamic processes, finance, capital markets, managing change, history of accounting, regulation, information systems, taxation, and (oh, yes) accounting
and auditing. Add administrative capability, analytical skills, business knowledge, communication skills (writing and speaking), efficiency, intellectual capability, marketing
and selling, model building, people development, capacity for putting client needs first,
and more.
We hope you are suitably impressed by this recitation of virtually all of the world’s
knowledge. You will be very old when you accomplish a fraction of the skill development and education suggested. Now the good news: (1) not everyone needs to be completely knowledgeable in all of these areas upon graduation from college, (2) learning
and skill development continue over a lifetime, and (3) no one expects you to know
everything on the job. In fact, we have observed that audit teams composed of members
specializing in some areas with other members specializing in other areas seem to work
best in practice. We do, however, stress the need to continue your education even after
you leave school. Learning should be a lifelong pursuit, not something that ends when
you receive your diploma.
REVIEW CHECKPOINTS
1.19 Why is continuing education required to maintain certification?
1.20 Why do you think experience is required to become certified?
1.21 What are some of the functions of a state board of public accountancy?
1.22What are some of the limitations to practicing public accounting across state and national
boundaries?
Summary
Decision makers need more than just information; they need reliable and credible information that they can rely upon. Internet buyers rely on website information when purchasing online. Financial analysts and investors use financial reports to help make stock
investment decisions. Suppliers and lenders use financial reports to decide whether to
grant credit and originate loans. Labor organizations use financial reports to help determine a company’s ability to pay wages. Government agencies and Congress use financial
information in preparing analyses of the economy and in making laws concerning taxes,
subsidies, and the like. These various users rely on independent CPAs to reduce information risk. Auditors (and other information assurance providers) assume the role of certifying (or attesting to) published financial information, thereby providing assurance that
information risk is low.
This chapter began by defining information risk and explained how auditing and assurance services play a role in minimizing this risk. The financial statements were explained
in terms of the primary assertions that management makes in them, and these assertions
were identified as the focal points of the auditors’ evidence-gathering work. Auditing
is practiced in numerous forms by various practice units, including public accounting
firms, the Internal Revenue Service, the U.S. Government Accountability Office, internal
audit departments in companies, and several other types of regulatory auditors. Fraud
examiners, many of whom are internal auditors and inspectors, have also found a niche
in auditing-related activities.
The public accounting profession recognizes that, in today’s information economy,
information risk exists in areas outside of financial transactions. Assurance services is a
Chapter 1 Auditing and Assurance Services 33
broad category of information-enhancement services that build on CPAs’ auditing, attestation, accounting, and advisory skills to create products useful to a wide range of decision makers (customers). While reliable information helps make capital markets efficient
and helps people know the consequences of a wide variety of economic decisions, CPAs
practicing the assurance function are not the only information professionals at work in the
economy. Bank examiners, IRS auditors, state regulatory agency auditors (e.g., auditors
in a state’s insurance department), internal auditors employed by a company, and federal
government agency auditors all practice information assurance in one form or another.
Most financial statement auditors aspire to become certified public accountants, which
involves successfully completing a rigorous examination, obtaining practical experience,
and maintaining competence through continuing professional education. Auditors also
obtain credentials as certified internal auditors, certified management accountants, certified information systems auditors, and certified fraud examiners. Each of these fields has
large professional organizations that govern the professional standards and quality of
practice of its members.
Key Terms
assurance: The lending of credibility to information, 4
assurance services: Independent professional services that improve the quality of information, or
its context, for decision makers, 5
attestation: A professional service resulting in a report on an assertion (or assertions) about
subject matter that is the responsibility of another party, 4
attestation engagement: An engagement where a practitioner is requested to examine whether
management’s assertions about some type of subject matter can be relied upon, 8
auditing: The systematic process of objectively obtaining and evaluating evidence regarding
assertions about economic actions and events to ascertain the degree of correspondence between
the assertions and established criteria and communicating the results to interested users, 5
business risk: Those factors, events, and conditions that could prevent the organization from
achieving its business objectives, 3
completeness: Management assertion that all of the transactions, events, assets, liabilities, equity
interests, and other disclosures that should have been recorded in the financial statements have
been recorded, 15
cutoff: Management assertion that refers to accounting for revenue, expense, and other
transactions in the proper period. The cutoff date generally refers to the audit client’s year-end
balance sheet date, 16
existence: Management assertion that all assets, liabilities, and equity interests do actually exist, 15
financial reporting: Process of providing statements of financial position (balance sheets), results of
operations (income statements, statements of shareholders’ equity, and statements of comprehensive
income), changes in cash flows (statements of cash flows), and accompanying disclosures to
outside decision makers who do not have access to management’s internal sources of information; a
company’s accountants, under the direction of its management, perform this function, 13
information risk: The probability that the information circulated by an entity will be false or
misleading, 4
internal auditing: A professional service provided to a company to assist the company
in meeting its corporate goals and objectives in part by evaluating and recommending risk
management, control, and governance processes, 26
occurrence: Management assertion that all of the transactions and events that have been recorded
are valid, pertain to the entity, and have actually taken place, 15
operational auditing: An examination designed to evaluate the processes and procedures of
an organization or an area within an organization to ensure the process or area is operating
efficiently and effectively, 26
presentation and disclosure: Management assertion that all transactions and events have been
presented correctly and that all relevant information has been disclosed to financial statement
users, usually in the footnotes to the financial statements, 15
professional skepticism: A state of mind that is characterized by appropriate questioning and a
critical assessment of audit evidence, 18
relevant assertion: A management assertion is relevant if there is a reasonable possibility that
a material misstatement exists related to that assertion for the significant account or footnote
disclosure being audited, 18
34 Part One The Contemporary Auditing Environment
rights and obligations: Management assertion that the entity is entitled to all rights of the
assets, the liabilities are the legal responsibility of the entity, and all of the disclosed events and
transactions pertain to the entity, 15
significant accounts: A financial statement account or footnote disclosure is considered significant if
there is a chance that the account or footnote disclosure could contain a material misstatement. As a
result, an auditor will have to conduct some procedures on each significant account or disclosure, 18
system-generated reports: Any report that is generated by the audit client’s information system
that is used to execute its internal control procedures or produce its financial statements. It is
important to test that each system-generated report is complete and accurate if it is being used for
either of these purposes, 12
substantial equivalency: The process through which CPAs licensed in one state can practice in
another state, 30
valuation or allocation: Management assertion that all assets, liabilities, and equity interests
of the entity have been valued in accordance with the relevant financial reporting standards
(e.g., GAAP) and are listed in the financial statements at the proper amount, and any resulting
valuation adjustments have been appropriately recorded in the financial statements, 15
Multiple-Choice
Questions for
Practice and
Review
All applicable questions are available
with Connect.
LO 1-2
1.23 Which of the following would be considered an assurance engagement?
a. Giving an opinion on a prize promoter’s claims about the amount of sweepstakes prizes
awarded in the past.
b. Giving an opinion on the conformity of the financial statements of a university with
generally accepted accounting principles.
c. Giving an opinion on the fair presentation of a newspaper’s circulation data.
d. Giving assurance about the average drive length achieved by golfers with a client’s
golf balls.
e. All of the above.
LO 1-4
1.24 It is always a good idea for auditors to begin an audit with the professional skepticism characterized by the assumption that
a. A potential conflict of interest always exists between the auditor and the management of
the enterprise under audit.
b. In audits of financial statements, the auditor acts exclusively in the capacity of an
auditor.
c. The professional status of the independent auditor imposes commensurate professional
obligations.
d. Financial statements and financial data are verifiable.
LO 1-2
1.25 In an attestation engagement, a CPA practitioner is engaged to
a. Compile a company’s financial forecast based on management’s assumptions without
expressing any form of assurance.
b. Prepare a written report containing a conclusion about the reliability of a management
assertion.
c. Prepare a tax return using information the CPA has not audited or reviewed.
d. Give expert testimony in court on particular facts in a corporate income tax controversy.
LO 1-6
1.26 A determination of cost savings obtained by outsourcing cafeteria services is most likely to
be an objective of
a. Environmental auditing.
b. Financial auditing.
c. Compliance auditing.
d. Operational auditing.
Chapter 1 Auditing and Assurance Services 35
LO 1-6
1.27 The primary difference between operational auditing and financial auditing is that in operational auditing
a. The operational auditor is not concerned with whether the audited activity is generating
information in compliance with financial accounting standards.
b. The operational auditor is seeking to help management use resources in the most effective manner possible.
c. The operational auditor starts with the financial statements of an activity being audited
and works backward to the basic processes involved in producing them.
d. The operational auditor can use analytical skills and tools that are not necessary in
financial auditing.
LO 1-2
1.28 According to the AICPA, the purpose of an audit of financial statements is to
a. Enhance the degree of confidence that intended users can place in the financial
statements.
b. Express an opinion on the fairness with which they present financial position, results of
operations, and cash flows in conformity with accounting standards promulgated by the
Financial Accounting Standards Board.
c. Express an opinion on the fairness with which they present financial position, results of
operations, and cash flows in conformity with accounting standards promulgated by the
U.S. Securities and Exchange Commission.
d. Obtain systematic and objective evidence about financial assertions and report the
results to interested users.
LO 1-1
1.29 Bankers who are processing loan applications from companies seeking large loans will
probably ask for financial statements audited by an independent CPA because
a. Financial statements are too complex for the bankers to analyze themselves.
b. They are too far away from company headquarters to perform accounting and auditing
themselves.
c. The consequences of making a bad loan are very undesirable.
d. They generally see a potential conflict of interest between company managers who want
to get loans and the bank’s needs for reliable financial statements.
LO 1-5
1.30 The Sarbanes–Oxley Act of 2002 prohibits public accounting firms from providing which of
the following services to an audit client?
a. Bookkeeping services.
b. Internal auditing services.
c. Valuation services.
d. All of the above.
LO 1-1
1.31 Independent auditors of financial statements perform audits that reduce
a. Business risks faced by investors.
b. Information risk faced by investors.
c. Complexity of financial statements.
d. Timeliness of financial statements.
LO 1-6
1.32 The primary objective of compliance auditing is to
a. Give an opinion on financial statements.
b. Develop a basis for a report on internal control.
c. Perform a study of effective and efficient use of resources.
d. Determine whether client personnel are following laws, rules, regulations, and policies.
LO 1-7
1.33 What requirements are usually necessary to become licensed as a certified public accountant?
a. Successful completion of the Uniform CPA Examination.
b. Experience in the accounting field.
c. Education.
d. All of the above.
36 Part One The Contemporary Auditing Environment
LO 1-6
1.34 The organization primarily responsible for ensuring that public officials are using public
funds efficiently, economically, and effectively is the
a. Governmental Internal Audit Agency (GIAA).
b. Central Internal Auditors (CIA).
c. Securities and Exchange Commission (SEC).
d. Government Accountability Office (GAO).
LO 1-6
1.35 Performance audits usually include [two answers]
a. Financial audits.
b. Economy and efficiency audits.
c. Compliance audits.
d. Program audits.
LO 1-3
1.36 The objective in an auditor’s review of credit ratings of a client’s customers is to obtain
evidence related to management’s assertion about
a. Completeness.
b. Existence.
c. Valuation or allocation.
d. Rights and obligations.
e. Occurrence.
LO 1-4
1.37 Jones, CPA, is planning the audit of Rhonda’s Company. Rhonda verbally asserts to Jones
that all expenses for the year have been recorded in the accounts. Rhonda’s representation in
this regard
a. Is sufficient evidence for Jones to conclude that the completeness assertion is supported
for expenses.
b. Can enable Jones to minimize the work on the gathering of evidence to support Rhonda’s completeness assertion.
c. Should be disregarded because it is not in writing.
d. Is not considered a sufficient basis for Jones to conclude that all expenses have been
recorded.
LO 1-1
1.38 The risk to investors that a company’s financial statements may be materially misleading is
called
a. Client acceptance risk.
b. Information risk.
c. Moral hazard.
d. Business risk.
LO 1-3
1.39 When auditing merchandise inventory at year-end, the auditor performs audit procedures to
ensure that all goods purchased before year-end are received before the physical inventory
count. This audit procedure provides assurance about which management assertion?
a. Cutoff.
b. Existence.
c. Valuation or allocation.
d. Rights and obligations.
e. Occurrence.
LO 1-3
1.40 When auditing merchandise inventory at year-end, the auditor performs audit procedures to
obtain evidence that no goods held on consignment are included in the client’s ending inventory balance. This audit procedure provides assurance about which management assertion?
a. Completeness.
b. Existence.
c. Valuation or allocation.
d. Rights and obligations.
e. Occurrence.
Chapter 1 Auditing and Assurance Services 37
LO 1-3
1.41 When an auditor reviews additions to the equipment (fixed asset) account to make sure that
fixed assets are not overstated, she wants to obtain evidence as to management’s assertion
regarding
a. Completeness.
b. Existence.
c. Valuation or allocation.
d. Rights and obligations.
e. Occurrence.
LO 1-5
1.42 The Sarbanes–Oxley Act of 2002 generally prohibits public accounting firms from
a. Acting in a managerial decision-making role for an audit client.
b. Auditing the firm’s own work on an audit client.
c. Providing tax consulting to an audit client without audit committee approval.
d. All of the above.
LO 1-7
1.43 Substantial equivalency refers to
a. An auditor’s tendency not to believe management’s assertions without sufficient cor­roboration.
b. Providing consulting work for another firm’s audit client in exchange for the other firm’s
providing consulting services to one of your clients.
c. The waiving of certification exam parts for an individual holding an equivalent certification from another professional organization.
d. Permitting a CPA to practice in another state without having to obtain a license in that
state.
LO 1-2
1.44 Which of the following best describes the relationship between auditing and attestation
engagements?
a. Auditing is a subset of attestation engagements that focuses on the certification of financial statements.
b. Attestation is a subset of auditing that provides lower assurance than that provided by an
audit engagement.
c. Auditing is a subset of attestation engagements that focuses on providing clients with
advice and decision support.
d. Attestation is a subset of auditing that improves the quality of information or its context
for decision makers.
LO 1-3
1.45 During an audit of a company’s cash balance on a company with operations in only one
country, the auditor is most concerned with which management assertion?
a. Existence.
b. Rights and obligations.
c. Valuation or allocation.
d. Occurrence.
LO 1-3
1.46 When auditing an investment in a publicly traded company, an auditor most likely would
seek to conduct which audit procedure to help satisfy the valuation assertion?
a. Inspect the stock certificates evidencing the investment.
b. Examine the audited financial statements of the investee company.
c. Review the broker’s advice or canceled check for the investment’s acquisition.
d. Obtain market quotations from The Wall Street Journal or another independent source.
LO 1-3
1.47 Cutoff tests designed to detect valid sales that occurred before the end of the year but
have been recorded in the subsequent year would provide assurance about management’s
assertion of
a. Presentation and disclosure.
b. Completeness.
c. Rights and obligations.
d. Existence.
38 Part One The Contemporary Auditing Environment
LO 1-3
1.48 Which of the following audit procedures probably would provide the most reliable evidence
related to the entity’s assertion of rights and obligations for the inventory account?
a. Trace test counts noted during physical count to the summarization of quantities.
b. Inspect agreements for evidence of inventory held on consignment.
c. Select the last few shipping advices used before the physical count and determine
whether the shipments were recorded as sales.
d. Inspect the open purchase order file for significant commitments to consider for
disclosure.
LO 1-3
1.49 In auditing the accrued liabilities account on the balance sheet, an auditor’s procedures most
likely would focus primarily on management’s assertion of
a. Existence or occurrence.
b. Completeness.
c. Presentation and disclosure.
d. Valuation or allocation.
LO 1-2
1.50 Which of the following best describes the focus of the following engagements?
Auditing Engagement
Attestation
Engagement
Assurance
Engagement
Consulting Services
Engagement
a. Any information
Financial statements
Advice and decision
support
Financial information
b. Financial information
Advice and decision
support
Financial statements
Any information
c. Advice and decision
support
Any information
Financial information
Financial statements
d. Financial
statements,
including footnotes
Financial information
Any information
Advice and decision
support
LO 1-7
1.51 Which of the following is a reason to obtain professional certification?
a. Certification provides credibility that an individual is technically competent.
b. Certification often is a necessary condition for advancement and promotion within a
professional services firm.
c. Obtaining certification is often monetarily rewarded by an individual’s employer.
d. All of the above.
LO 1-3
1.52 During an audit of an entity’s stockholders’ equity accounts, the auditor determines whether
there are restrictions on retained earnings resulting from loans, agreements, or state law.
This audit procedure most likely is intended to verify management’s assertion of
a. Existence or occurrence.
b. Completeness.
c. Valuation or allocation.
d. Presentation and disclosure.
LO 1-3
1.53 When auditing the accounts receivable account on the balance sheet, an auditor’s procedures
most likely would focus primarily on management’s assertion of
a. Existence.
b. Completeness.
c. Presentation and disclosure.
d. Rights and obligations.
Chapter 1 Auditing and Assurance Services 39
LO 1-3
1.54 An auditor selected items for test counts from the client’s warehouse during the physical
inventory observation. The auditor then traced these test counts into the detailed inventory
listing that agreed to the financial statements. This procedure most likely provided evidence
concerning management’s assertion of
a. Rights and obligations.
b. Completeness.
c. Existence.
d. Valuation or allocation.
LO 1-3
1.55 An auditor’s purpose in auditing the information contained in the pension footnote most
likely is to obtain evidence concerning management’s assertion about
a. Rights and obligations.
b. Existence.
c. Presentation and disclosure.
d. Valuation or allocation.
LO 1-5
1.56 Which of the following would best be described as an attest engagement?
a. An engagement to implement an ERP system.
b. An engagement to develop a more efficient payroll process.
c. An engagement to assess the effectiveness of an internal control system.
d. An engagement to assist the client in an IRS audit.
LO 1-3
1.57 An auditor seeks to test the accuracy of the amount recorded as revenue on a contract with a
customer under ASC 606. Which PCAOB assertion is most likely being tested?
a. Rights and obligations.
b. Valuation or allocation.
c. Presentation and disclosure.
d. Completeness.
LO 1-3
1.58 In testing the goodwill at an audit client in the retail industry, an auditor may seek to determine whether the account balance had been impaired. Such impairment procedures would
be designed to test which financial statement assertion?
a. Existence.
b. Completeness.
c. Presentation and disclosure.
d. Valuation or allocation.
LO 1-3
1.59 In testing inventory at an audit client in the retail industry, you note that some of the inventory is contracted to be held on consignment. As a result, which financial statement assertion
is now relevant?
a. Rights and obligations.
b. Completeness.
c. Existence or occurrence.
d. Valuation or allocation.
Exercises and
Problems
Select Exercises and Problems are available
with Connect.
LO 1-2
1.60
Audit, Attestation, and Assurance Services. Following is a list of various professional
services. Identify each by its apparent characteristics as an audit engagement, attestation
engagement, or assurance engagement. Because audits are a subset of attestation engagements, which are a subset of assurance engagements, choose the most specific description.
In other words, if you believe the engagement is an audit engagement, select only audit
40 Part One The Contemporary Auditing Environment
engagement rather than checking all three. Similarly, the choice of assurance engagement
for an audit, while technically correct, would not be the best choice.
Audit Engagement
Attestation Engagement
Assurance Engagement
Real estate demand studies
Certify ballot for awards show
Utility rates applications
Newspaper circulation audits
Third-party reimbursement maximization
Annual financial report to stockholders
Rental property operational review
Examinations of financial forecasts and projections
Customer satisfaction surveys
Compliance with contractual requirements
Benchmarking/best practices
Evaluation of investment management policies
Information systems security reviews
Productivity statistics
Internal audit strategic review
Financial statements submitted to a bank loan officer
LO 1-4
1.61
Professional Skepticism. For each of the following scenarios, please evaluate whether
you believe that your professional skepticism as an auditor should increase, decrease, or
stay the same:
a. The chair of the board of your audit client proposed that the company hire its sales manager as their new financial controller.
b. The financial controller at your client mentions that she has just been on maternity leave
for three months and no bank reconciliations were completed during the time she was
out of the office.
c. While auditing the accounts receivable account for your audit client, you notice that
there is a large amount that is well past due on the aged accounts receivable schedule.
d. While auditing the year-end investment balances, you find that your client’s investment
balance exactly agrees to the statement from the investment custodian. The custodian is
a large bank.
e. The new chair of the board of Adams Corporation decided to fire the entire internal
audit department. The chair believed that the work completed by the annual auditor was
enough auditing and that they were already paying enough to the external auditors.
f. While auditing the inventory balance at your audit client, you visited the client’s warehouse during their inventory count. You observed the count and found that the client
made no mistakes during your procedures.
g. The sales manager in charge of the Northeast region retired. She was replaced in the
region by the assistant sales manager in the same region.
h. While auditing the interest expense account, you notice that there was no increase in the
amount during the current year. However, you noticed that the long-term debt amount
doubled during the current year.
i. While auditing the inventory balance at your audit client, you perform test counts at their
warehouse. While you are counting, you notice a storage bin of inventory that is covered
in dust with damaged products. These items are stored near the garbage dumpsters.
Chapter 1 Auditing and Assurance Services 41
LO 1-3
1.62
j. You are auditing cash and during your review of the bank statements you notice unusual
cash transfers between two bank accounts which are inconsistent with the client’s
business.
k. While auditing accounts payable, the accounts payable clerk told you that the audit client implemented three new internal control procedures. You tested each new control
and found no exceptions in your testing, concluding that the controls are operating
effectively.
l. The chair of the board of your audit client decided to double the staff of the internal
audit department from 10 professionals to 20 professionals. The chair wanted to have
the largest internal audit department in the industry and the increase will let the department complete more internal control audits throughout the year.
Management Assertions. Complete the following chart indicating the corresponding
Auditing Standards Board assertions and whether the assertion relates to transactions or
balances.
PCAOB Assertion
Corresponding ASB Assertion (s)
Relates to:
Existence or Occurrence
Rights and Obligations
Completeness
Valuation or Allocation
Presentation and Disclosure
LO 1-3
1.63
LO 1-6
1.64
Management Assertions. Your audit manager has asked you to explain the PCAOB assertions
by using an account on the balance sheet at your audit client. For the accounts receivable
account, please define each of the PCAOB assertions, using the accounts receivable
account as a way to illustrate each assertion. You are encouraged to reference Exhibit 1.4 to
help you answer this question.
Other Types of Auditing. Beyond public accounting firms, there are a number of other
opportunities to work as an audit professional. Three common examples would be working
as an internal auditor, a governmental auditor, or a regulatory auditor.
Required:
For each of the following scenarios, please indicate whether it would be most appropriate to
use an internal auditor, a governmental auditor, or a regulatory auditor:
a. The Department of Defense for the United States plans to audit the cost accounting
report for a contract signed with a key supplier.
b. Bigdeal Corporation manufactures paper and paper products and is trying to decide
whether to purchase Smalltek Company. Bigdeal wants to obtain a report on the operational efficiency and effectiveness of the Smalltek sales, production, and research and
development departments.
42 Part One The Contemporary Auditing Environment
LO 1-1, 1-2
1.65
c. The Federal Deposit Insurance Company (FDIC) plans to audit the collectability of
loans at a bank that they insure.
d. The board of directors would like an efficiency audit completed of its manufacturing
plant operations.
e. The City of New York would like an audit done of a major construction project to make
sure that the taxpayer’s funds were used in an efficient manner.
f. A federal bank examiner decides to audit a bank to determine whether it will remain
solvent in the upcoming year.
g. The CEO of Franklin Corporation wants to hire an auditor to take responsibility for
auditing the company’s compliance with environmental laws and regulations.
h. The Internal Revenue Service (IRS) would like to audit the tax returns of a popular restaurant chain.
i. The State of Ohio decided to audit the use of educational grants awarded to cities and
towns in the state to make sure the funds were spent in accordance with the grant program.
j. The Department of the Interior for the United States plans to audit the use of funds spent
by all National Parks.
Auditor as Guarantor. Your neighbor, Loot Starkin, invited you to lunch yesterday. Sure
enough, it was no “free lunch” because Loot wanted to discuss the annual report of Dodge
Corporation. He owns Dodge stock and just received the annual report. Loot says, “Our
auditors prepared the audited financial statements and gave an unqualified opinion, so my
investment must be safe.”
Required:
LO 1-6
What misconceptions does Loot Starkin seem to have about the auditor’s role with respect
to Dodge Corporation?
1.66 Identification of Audits and Auditors. Audits may be characterized as (a) financial statement audits, (b) compliance audits, (c) economy and efficiency audits, and (d) program
results audits. The work can be done by independent (external) auditors, internal auditors,
or governmental auditors (including IRS auditors and federal bank examiners). Following
is a list of the purposes or products of various audit engagements:
Type of
Audit
Type of
Auditor
1. Analyze proprietary schools’ spending to train students for low-demand occupations.
2. Determine whether an advertising agency’s financial statements are fairly presented in conformity with GAAP.
3. Study the effectiveness of the Department of Defense’s expendable launch vehicle program.
4. Compare costs of municipal garbage pickup services to comparable services subcontracted to a private
business.
5. Investigate financing terms of tax shelter partnerships.
6. Study a private aircraft manufacturer’s test pilot performance in reporting on the results of test flights.
7. Conduct periodic examinations by the U.S. Comptroller of Currency of a national bank for solvency.
8. Evaluate the promptness of materials inspection in a manufacturer’s receiving department.
9. Report on the need for the states to consider reporting requirements for chemical use data.
10. Render a public report on the assumptions and compilation of a revenue forecast by a sports stadium/racetrack
complex.
Required:
For each of the engagements listed, indicate (1) the type of audit (financial statement,
compliance, economy and efficiency, or program results) and (2) the type of auditors (external,
internal, or govermental) you would expect to be involved.
LO 1-3
1.67 Financial Assertions and Audit Objectives. You are engaged to examine the financial
statements of Spillane Company for the year ended December 31. Assume that on November 1, Spillane borrowed $500,000 from Second National Bank to finance plant expansion.
The long-term note agreement provided for the annual payment of principal and interest over
Chapter 1 Auditing and Assurance Services 43
five years. The existing plant was pledged as security for the loan. Due to the unexpected difficulties in acquiring the building site, the plant expansion did not begin on time. To use the
borrowed funds, management decided to invest in stocks and bonds and on November 16,
invested the $500,000 in publicly traded securities.
Required:
Identify the relevant financial statement assertions for the publicly traded securities account
(an asset) based on the PCAOB’s five management assertions about the financial statements.
LO 1-3
1.68
Financial Statement Assertions and Possible Misstatements. According to the professional standards, a financial statement assertion is relevant if it has a “reasonable possibility
of containing a misstatement that would cause the financial statements to be materially misstated.” For each of the possible misstatements identified below, please select the appropriate financial statement assertion.
Possible Misstatement/Risk
a. Revenue is overstated because the controller made up fraudulent invoices and recorded
them.
b. Revenue is understated because the accountant closed the sales cycle a week early to go
on vacation.
c. Accounts receivable is overstated because the accounts receivable clerk forgot to apply
available discounts.
d. Accounts receivable is overstated because sales are falsified.
e. Travel expense is overstated because the sales force charged personal expenses on their
corporate credit card.
f. Accounts payable is understated because the office manager lost an invoice for supplies
received so it was never recorded.
g. The cash balance is understated because funds held in Japan were converted to $USD at
the wrong rate.
h. The cash balance recorded on the financial statements is overstated because the treasurer is stealing from the company.
i. Inventory is overstated because it is held on consignment but included in the inventory
balance.
j. The cost of goods sold is overstated because time sheets have not been submitted for
each job.
k. Long-term debt is overstated due to misclassification by management.
LO 1-3
1.69
Financial Statement Assertions and Audit Procedures. According to the professional
Standards, a financial statement assertion is relevant if it has a “reasonable possibility
of containing a misstatement that would cause the financial statements to be materially
misstated.” For each audit procedure listed below, please select the appropriate financial
statement assertion that would be tested by the procedure (i.e., existence or occurrence,
completeness, valuation, rights and obligations, presentation and disclosure) and significant financial statement account:
Audit Procedures
a. The auditor sends a letter to the bank confirming the amount of cash in the bank account.
b. The auditor takes a shipping document and traces it to the sales invoice and sales journal.
c. The auditor selects items from the company’s inventory list and observes those items in
the warehouse.
d. The auditor compares prices on a vendor invoice to an approved price list from the
vendor.
e. The auditor reviews recorded expenses with vendor invoices.
f. The auditor determines whether inventory has been pledged as collateral for a loan.
g. The auditor reads the minutes from the board of directors meeting to make sure that
recorded stock options were approved.
h. The auditor reviews new lease agreements to evaluate whether leases have been recorded
properly on the balance sheet.
44 Part One The Contemporary Auditing Environment
i. The auditor selects inventory items at a retail store to determine whether any are held on
consignment.
j. The auditor sends letters to customers to confirm amounts owed to the company.
LO 1-7
1.70
Internet Exercise: Professional Certification. Each state has unique rules for certification concerning education, work experience, and residency. Visit the website for your state
board of accountancy and download a list of the requirements for becoming a CPA in your
state. Although not all of the state boards of accountancy have websites, you can find those
of most states by accessing the National Association of State Boards of Accountancy at its
website.
LO 1-7
1.71
Internet Exercise: Professional Certification. Visit the website of the Institute of Internal
Auditors, the Institute of Management Accountants, the Association of Certified Fraud
Examiners, or the Information Systems Audit and Control Association. Review the information regarding the certifications available. Does the organization explain the benefits of
having its certification? What topics are covered on the certification exam? What are the
minimum requirements to take the exam? What additional experience is required to receive
the certification?
LO 1-5
1.72Internet Exercise: Services Offered by the Big Four Public Accounting Firms. Visit
the websites of Deloitte, PwC, EY and KPMG. Review the services offered by each
firm. Please identify and briefly describe at least two services offered by each firm to the
marketplace.
Apollo Shoes
Assume that you are a recently promoted senior (in charge) auditor for Anderson, Olds,
and Watershed and have been assigned to the engagement team of a new client, Apollo
Shoes Inc. To begin the audit, you need to familiarize yourself with Apollo Shoes. To do
so, you will want to review the prior year 10-K, Board of Directors meeting minutes, and
CEO letter to the shareholders. Detailed instructions can be found in Connect.
CHAPTER 2
Professional
Standards
The Securities and Exchange Commission may need to prohibit trading in about
270 China-related companies by early 2024. . . Now it’s up to Beijing to let the
oversight board in so we can ensure the relevant audits are up to U.S. standards.
Gary Gensler, Chair of the Securities and Exchange Commission, “Chinese
Firms Need to Open Their Books,” The Wall Street Journal, September 14,
2021, p. A17.
Professional Standards References
AU-C/ISA
Section
AS
Section
Overall Objectives of the Independent Auditor
200
1001
1005
1010
1015
Quality Management for an Audit Engagement
220
1110
Audit Planning
300
2101
Supervision of the Audit Engagement
300
1201
Identifying and Assessing the Risks of Material Misstatement
315
2110
Materiality
320
2105
Audit Evidence
500
1105
Reporting on Financial Statements
700
3101
Modifications to Reports on Financial Statements
705
3105
QM 10
1110, QC 20,
QC 30, QC 40
Topic
Quality Control
LEARNING OBJECTIVES
Chapter 2 discusses the standards that govern the
conduct of audit examinations (generally accepted
auditing standards) and how these standards offer
the explicit guidance that must be followed during
audits. In addition, Chapter 2 identifies important
policies and procedures implemented by auditing
firms (through a system of quality control) to ensure
that the firms’ audits comply with appropriate
professional standards and can withstand scrutiny
by regulatory bodies. Finally, the chapter discusses
external monitoring efforts that evaluate the quality of
audit firms’ work.
Your objectives are to be able to
LO 2-1
Understand the development and source of
generally accepted auditing standards.
LO 2-2
Describe the fundamental principle of
responsibilities and how this principle
relates to the characteristics and
qualifications of auditors.
45
46 Part One The Contemporary Auditing Environment
LO 2-3
Describe the fundamental principle of
performance and identify the major activities
performed in an audit.
LO 2-4
Understand the fundamental principle of
reporting and identify the basic contents of
the auditors’ report.
LO 2-5
Understand the role of a system of quality
control and monitoring efforts in enabling
public accounting firms to meet appropriate
levels of professional quality.
INTRODUCTION
Who sets the rules and standards for audits? Until 2002, the accounting profession was
self-regulated; that is, the standards governing audits were established by members of
the profession themselves through the American Institute of Certified Public Accountants
(AICPA). Although critics indicated that self-regulation was akin to having university students establish the systems used to determine their grades, this practice continued for
more than 60 years and, although some concerns were raised during this time, remained
largely unchanged.
Motivated to a great extent by the audit failures related to Enron and WorldCom,
Congress passed the Sarbanes–Oxley Act of 2002 (Sarbanes–Oxley). Among other
reforms, this act created the Public Company Accounting Oversight Board (PCAOB) to provide external and independent oversight over the audits of public entities, or issuers. (An
issuer is an entity that offers registered securities, such as stocks and bonds, for sale to
the general public.) Among other matters, the PCAOB is responsible for registering public accounting firms, establishing and enforcing standards for audit engagements, and
inspecting the quality of audits conducted by registered public accounting firms.
As noted in the introductory quote, the PCAOB has encountered challenges inspecting
audits of international issuers trading on United States exchanges, particularly those based
in China. To avoid potential disclosure of strategic secrets of its firms, the Chinese government implemented laws that prevent companies from complying with overseas regulators
(such as the PCAOB) without obtaining its permission. (Not so coincidentally, the Chinese
government is the majority owner of many of these companies). As a result, unlike audits
conducted for U.S. companies, PCAOB inspectors have not had the ability to inspect audits
of Chinese companies to ensure their quality and usefulness to investors and lenders.
In 2020, the United States Congress passed the Holding Foreign Companies Accountable Act of 2020 (HFCAA). Among other requirements, this act requires the following
disclosures for issuers in foreign jurisdictions in which the PCAOB is unable to inspect
audits because of a government mandate:
∙ The percentage of shares owned by governmental entities where the issuer is
incorporated.
∙ Whether the governmental entity has a controlling interest in the issuer.
∙ Information related to board members who are officials of the Chinese Communist Party.
∙ Information about whether the issuer’s articles of incorporation contain charters of the
Chinese Communist Party.
In addition to the above, the HFCAA established a three-year deadline for permitting
inspections of these audits; otherwise, the issuers will be forced to cease trading on U.S.
stock exchanges (“delist”). Based on data from Standard & Poors’ Global Market Intelligence, as of December 2020, over 250 companies based in China or Hong Kong are listed
on U.S. stock exchanges; these companies have a market capitalization of over $3 trillion.1
In August 2022, United States and Chinese authorities reached an agreement to allow for
PCAOB inspections of these audits.2
1
2
“House Passes Delisting of China Firms,” The Wall Street Journal, December 2, 2020, p. B1, B2.
“Washington, Beijing Reach Deal on Audits,” The Wall Street Journal, August 27, 2022, p. A. 10.
Chapter 2 Professional Standards 47
The PCAOB Focus “Deloitte Brazil and Gol Intelligent Airlines” illustrates the powerful role of the PCAOB and its significant impact on the accounting profession.
PCAOB INSPECTION
FOCUS
Deloitte Brazil and Gol Intelligent Airlines
In 2012, the PCAOB selected Deloitte Brazil’s (an affiliate of Deloitte)
audit of Gol Intelligent Airlines (a low-cost Brazilian airline) as part
of its inspection process. In anticipation of the inspection, Deloitte
Brazil altered critical audit documentation and provided misleading
documents and information to the PCAOB inspectors. As a result of
these actions, Deloitte Brazil settled with the PCAOB with the following sanctions:
•
•
Censure
•
•
Prohibitions from accepting new audit clients
Civil monetary penalty of $8 million (to date, the largest penalty
levied by the PCAOB)
Required reviews of all work on existing audit clients by Deloitte
Global member or affiliate firms
•
Appointment of an independent monitor to review Deloitte Brazil’s
quality control system and evaluate their compliance with other
sanctions
In addition to these firmwide sanctions, 12 individuals affiliated with
Deloitte Brazil were censured and sanctioned through monetary penalties, disbarment from affiliating with PCAOB-registered accounting firms
(for periods ranging from one year to permanent), suspensions, or other
restrictions on audit-related responsibilities. Then-PCAOB Director of
Enforcement Claudius Modesti commented that Deloitte’s actions were
“the most serious misconduct we’ve discovered.”
Sources: PCAOB Release No. 105-2016-031, In the Matter of Deloitte Touche Tohmatsu Auditores Independentes, PCAOB, December 5, 2016; PCAOB
enforcement actions related to individual Deloittee Brazil personnel (PCAOB
Release Nos. 105-2016-32 through 105-2016-43); “Bother in Brazil,” The
Economist, December 10, 2016, pp. 63-64.
The preceding vignette illustrates the powerful role of the PCAOB and its significant
impact on regulation in the accounting profession. The following summarizes PCAOB
enforcement activity for the period 2017–2021.3
Number of cases
Settled Actions
Adjudicated Actions
142
5
Disbarment of CPA/revocation of firm registration
79
5
Suspension of CPA/suspension of firm registration
15
0
Cases involving Big Four firms/affiliates
19
2
# / total monetary penalties
109 / $10.6 million
5 / $360,000
Range of monetary penalties
$2,500–1.5 million
$25,000–150,000
The above illustrates the public scrutiny and attention placed on policies and procedures implemented by firms to conduct high quality audits. Although situations like these
are exceptions rather than the rule, accounting firms clearly are being held to a higher
standard for the quality of their work, and failures are receiving intense attention in the
media. The development of professional auditing standards, actions taken by audit firms
to ensure that their audits comply with these standards, and monitoring efforts by external bodies (such as the PCAOB) to evaluate the quality of audit firms’ work are the focal
points of this chapter.
GENERALLY ACCEPTED AUDITING STANDARDS (GAAS)
LO 2-1
Understand the
development and source of
generally accepted auditing
standards.
At least two historical milestones had a significant impact on the development of auditing standards. In 1938, a scandal of epic proportions broke at McKesson & Robbins,
a large pharmaceutical company. Price Waterhouse & Co. (now PwC), the company’s
auditor for more than 10 years, failed to discover that the company had inflated inventory
3
Disciplinary orders drawn from PCAOB website (https://https://pcaobus.org/oversight/enforcement/enforcement-actions).
48 Part One The Contemporary Auditing Environment
and receivables through the falsification of supporting documents (including one phony
shipment from the United States to Australia by truck!). Auditors merely accepted management’s assertions about inventory and receivables balances without verifying their
existence. The accounting profession reacted quite strongly to the scandal by tasking the
AICPA to develop standards that served as the basis for audits of both issuers and nonissuers (nonpublic entities). From 1939 through 2002, the AICPA’s Auditing Standards
Board issued Statements on Auditing Procedures (1939–1972) and Statements on Auditing Standards (SASs) (1972–present) to provide guidance for the conduct of audits.4
A second defining moment in the development of auditing standards was the massive
frauds at Enron and WorldCom (and the inability of those entities’ auditors to identify
the frauds). In response to these failures, Sarbanes–Oxley (which was passed by a vote
of 99-0 in the U.S. Senate!) created the PCAOB and delegated the responsibility for
developing standards for the audits of issuers to this body. The PCAOB issues Auditing
Standards, which are subject to the formal approval of the Securities and Exchange Commission (SEC). The authorization for developing standards for the audits of nonissuers
continues to remain with the Auditing Standards Board of the AICPA.
Until 2016, PCAOB standards consisted of a combination of Auditing Standards issued
by the PCAOB and standards issued by the AICPA that had not been superseded by the
PCAOB (referred to as Interim Auditing Standards). Effective December 31, 2016, the
PCAOB has reorganized and combined these standards into a single body of pronouncements. Appendix 2A illustrates how auditors utilize the PCAOB and ASB standards in
providing appropriate professional guidance.
The relevant pronouncements of the AICPA are referred to as generally accepted auditing
standards (GAAS).5 GAAS are auditing standards that identify necessary qualifications and
characteristics of auditors and guide the conduct of the audit examination. The purpose of
GAAS is to meet the objectives of an audit examination, which are (AU-C 200.12):
∙ To obtain reasonable assurance about whether the financial statements as a whole are
free of material misstatement, whether due to fraud or error.
∙ To issue a report on the financial statements.
Generally, auditors who do not follow the guidance provided in GAAS are presumed
to have performed deficient audits.
Organization of GAAS
The body of GAAS is based on three fundamental principles identified by the ASB
that underlie all audits. These fundamental principles relate to (1) responsibilities of the
audit team, (2) performance of the audit, and (3) reporting the results of the engagement.
Recall from Chapter 1 the definition of auditing as
. . . a systematic process of objectively obtaining and evaluating
evidence regarding assertions about economic actions and
events to ascertain the degree of correspondence between the
assertions and established criteria and communicating the
results to interested users.
Closer examination of the fundamental principles reveals that they closely parallel that
definition. For example, the responsibilities principle defines objectivity and identifies the
important role that objectivity plays in the audit. The performance principle requires, among
other things, auditors to plan the work (i.e., conduct the audit using a “systematic process”)
and to “obtain and evaluate evidence” through assessing the risk of material misstatement and
4
Statements on Auditing Standards (SAS) are authoritative AICPA pronouncements on auditing theory and practice. Statements
on Auditing Procedure (SAP) Nos. 1–54 were codified into SAS 1 in 1972.
5
The auditing standards for issuers are referred to as PCAOB Standards to distinguish them from the standards for nonissuers.
Chapter 2 Professional Standards 49
gathering sufficient appropriate evidence. Finally, the reporting principle provides guidance
for “communicating the results” of the audit about whether the financial statements are prepared using “established criteria” (an applicable financial reporting framework, or GAAP).
Based on the fundamental principles, professional standards are established that provide
specific objectives and requirements (Statements on Auditing Standards issued by the ASB
and Auditing Standards issued by the PCAOB). GAAS also includes various interpretive
publications (such as Interpretations, exhibits, AICPA Audit and Accounting Guides, and
AICPA Auditing Statements of Position) which provide guidance on the application of GAAS
in specific circumstances, including engagements for entities in certain industries. Although
officially considered less authoritative and less binding than the guidance in the SASs and
Auditing Standards, auditors still must justify any departures from these publications. The
relationship among these various elements is summarized in the following graphic.
Fundamental Principles
Professional
Standards
and Guidance
PCAOB Auditing Standards and
ASB Statements on
Auditing Standards
Interpretive Publications
Guide general conduct of audit
engagements
Provide requirements
supporting
fundamental principles
Provide guidance on the
application of GAAS
Auditing standards are quite different from audit procedures. Audit procedures are the
particular and specialized actions that auditors take to obtain evidence in a specific audit
engagement. Auditing standards, on the other hand, are quality guides to the audit that apply
to all audits. For example, auditing standards indicate that auditors must determine that
recorded accounts receivable are based on actual sales to customers. An audit procedure
used to satisfy that standard is to confirm accounts receivable with the company’s customers.
This difference is the reason auditors’ reports refer to an audit “conducted in accordance with
standards of the PCAOB” [emphasis added] rather than in accordance with audit procedures.
In addition to the standards for U.S. issuers and nonissuers, it is important to note that
separate auditing standards have been developed for governmental and foreign entities.
A summary of the body charged with establishing standards as well as the standards
themselves for various types of audits follows.
Issuers
Nonissuers
Governmental Entities
Foreign Entities
Rule-making body
Public Company
Accounting Oversight
Board (PCAOB)
AICPA Auditing Standards
Board (ASB)
U.S. Government
Accountability Office (GAO)
International Auditing and
Assurance Standards Board
(IAASB)
Standards
Auditing Standards (ASs)
Statements on Auditing
Standards (SASs)
Government Auditing
Standards (The Yellow Book)
International Standards on
Auditing (ISAs)
Website
www.pcaobus.org
www.aicpa.org
www.gao.gov
www.iaasb.org
If an accounting firm audits issuers and nonissuers throughout the world, that firm may
be subject to multiple (sometimes conflicting) standards issued by the ASB, PCAOB,
and IAASB, among others. For this reason, auditors and regulators have a great interest
in convergence—that is, making the standards coordinated, if not uniform, throughout
the world. The ISAs are a first step in the development of one consistent set of guidelines
that auditors worldwide can follow. Although the focus in this text will be on audits of
50 Part One The Contemporary Auditing Environment
U.S. issuers and nonissuers (and therefore pronouncements of the PCAOB and ASB), it
is important that students be aware that additional standards exist related to the audits of
governmental and foreign entities.
REVIEW CHECKPOINTS
2.1 Define generally accepted auditing standards (GAAS). What is the purpose of GAAS?
2.2 Who is responsible for developing standards for the audits of issuers? Who is responsible for developing standards for the audits of nonissuers?
2.3 Identify the role of the following bodies in the auditing standards-setting process: (1) the AICPA; (2)
the PCAOB; (3) the SEC.
2.4 Identify the three fundamental principles underlying GAAS.
FUNDAMENTAL PRINCIPLE: RESPONSIBILITIES
LO 2-2
Describe the fundamental
principle of responsibilities
and how this principle
relates to the characteristics
and qualifications of
auditors.
The fundamental principle of responsibilities relates to the personal integrity and professional qualifications of auditors. This principle addresses the following responsibilities
of auditors:
Auditors are responsible for
∙ Having appropriate competence and capabilities to perform
the audit.
∙ Complying with relevant ethical requirements.
∙ Maintaining professional skepticism and exercising professional
judgment throughout the planning and performance of the audit.
As shown in the following figure, certain issues related to responsibilities are addressed
before a firm accepts a prospective client, as the firm considers whether it has the competence and capabilities to perform the engagement and ensures it is independent with
respect to the client prior to formal acceptance. However, professional skepticism, professional judgment, and due care must be considered and exercised by the auditor throughout the entire engagement.
STAGES OF AN AUDIT
Obtain
(or Retain)
Engagement
Competence
and
capabilities
Relevant
ethical
requirements
(independence)
Engagement
Planning
Risk
Assessment
Audit
Evidence
Reporting
Professional skepticism and professional judgment
Relevant ethical requirements (due care)
Chapter 2 Professional Standards 51
Competence and Capabilities
Competence and capabilities begin with education in accounting because auditors hold
themselves out as experts in accounting standards, financial reporting, and auditing.
In addition to university-level education prior to beginning their careers, auditors are
required to participate in continuing professional education throughout their careers to
ensure that their knowledge keeps pace with changes in the accounting and auditing profession. In fact, one of the important requirements for maintaining a CPA license is sufficient continuing professional education.
Education is only one element of competence and capabilities. Another important
dimension is experience, which is gained with hands-on practice and on-the-job training.
An important component of this experience is the ability to develop and apply professional judgment in real-world audit situations. These situations include various judgments related to gathering evidence as to the fairness of an entity’s financial statements
and evaluating whether that evidence indicates that the financial statements are prepared
according to generally accepted accounting principles. (Professional judgment is also an
important component of the performance principle, which will be discussed later.)
Independence and Due Care
The responsibilities principle requires auditors to comply with appropriate ethical requirements; two important requirements relate to independence and due care. Auditors must
maintain independence in mental attitude; that is, auditors are expected to be unbiased
and impartial with respect to the financial statements and other information they audit.
This “state of mind” is often referred to as the auditor possessing independence in fact.
This independence allows auditors to form an opinion on the entity’s financial statements
without being affected by influences that might compromise that opinion.
It is not only important for auditors to be unbiased; they must also appear to be unbiased. Independence in appearance relates to others’ (particularly financial statement users’)
perceptions of auditors’ independence. For example, imagine that the son or daughter of
your professor was enrolled in your class. While your professor may truly be unbiased
and evaluate the child fairly, it is unlikely that you and your classmates would believe
your professor to be independent. Just as a baseball umpire should not care about the
outcome of a game (only that the rules are followed), an auditor should not care about the
financial performance of a client (only that its financial statements are prepared according to accounting rules, or GAAP).
Although independence is a complex concept and many different threats to independence exist, two general types of relationships that are believed to jeopardize (or compromise) independence are
1. Financial relationships, such as owning shares of stock in a client or having a loan
outstanding to or from a client.
2. Managerial relationships, such as the ability to act in a decision-making capacity on
behalf of a client or to provide advice on systems or information that will subsequently be
audited. An example of such an issue is shown in the Auditing Insight “PwC and Mattel.”
AUDITING INSIGHT
PwC and Mattel
PwC has served as auditor for Mattel, Inc. (a multinational toy manufacturing company whose products and brands include Barbie, Hot Wheels,
and Fisher-Price) since 1974. This relationship was recently threatened
when Joshua Abrahams, lead audit partner for PwC, provided recommendations for candidates for senior-level positions within Mattel.
In response, PwC placed Abrahams on administrative leave and
replaced other members of the Mattel audit team. After a thorough
internal investigation, Mattel’s audit committee decided to retain PwC
as auditor in 2020 and concluded that “. . .the objectivity and impartiality of Mattel’s outside auditor has not been impaired. . .”
Sources: Mattel Completes Internal Investigation of Whistleblower Letter and
Announces Remedial Actions, Mattel, Inc., October 29, 2019 (online source);
“Mattel’s Finance Chief to Leave,” The Wall Street Journal, October 30,
2019, p. B5.
52 Part One The Contemporary Auditing Environment
Clearly, the relationships just listed would impair perceptions of auditors’ independence, but other considerations are necessary. For example, although it seems safe to
conclude that an audit team member’s spouse should be restricted from the preceding
types of relationships for a client for which the team member is providing services, could
that spouse have these types of relationships with respect to a client served by a distant
office of the team member’s firm? Could the audit team member’s third cousin have such
relationships?
It is difficult to think of a matter more fundamental to the value of an audit than independence. Without independence, third-party users are not able to rely on the auditor’s
work and opinion on the entity’s financial statements. The preceding discussion identifies some of the major factors affecting independence, but the possible relationships
involving auditors, entities, and their personnel are endless; the complexities of these
relationships have resulted in a number of interpretations and ethics rulings regarding
auditor independence. Many individuals fundamentally question whether auditors can be
independent given the fee arrangement they have with their clients. (Imagine the situation
if you directly paid your professor instead of the university for your tuition!) In addition,
the often long-standing relationships between auditors and their clients have resulted in
some attempts to require periodic rotation of audit firms to lessen the impact of financial
relationships between these two parties and enhance independence.
Issues related to auditor independence may provide some significant challenges in
practice. For example, an investigation in the early 2000s of independence violations at
PwC revealed that “. . . approximately 86.5 percent of PwC partners and 10.5 percent of
all other PwC professionals had independence violations.”6 More recently, PwC violated
independence requirements for 15 issuers from 2013 to 2016 by performing prohibited
non-audit services (related to the design and implementation of financial reporting software) and failing to appropriately report non-audit services to these issuers’ audit committees.7 The Auditing Insight “Changes in the United Kingdom” summarizes a case that
raised concerns about auditor independence.
This section introduced the concept of auditor independence and provided a limited
overview of issues that impact auditor independence. A detailed discussion of AICPA
and SEC rules related to independence (and various interpretations of those rules) is
provided in Module B.
AUDITING INSIGHT
Changes in the United Kingdom
Issues related to the importance of independence have been raised
following the collapse of Carillion, the second largest United Kingdom
(UK) construction company with over 43,000 worldwide employees.
Two UK House of Commons committees noted that “. . . conflicts of
interest at every turn” resulted in KPMG’s failure to challenge questionable accounting practices at Carillion.
In response to this criticism, the UK’s Financial and Reporting
Council (FRC) is requiring Big Four firms to split their auditing and nonauditing functions into separate operating entities (currently, nonauditing services account for over 75 percent of total firm revenues, and
unlike U.S. firms, UK firms can provide significant levels of consulting
services to audit clients). Other proposed actions to reduce the influence of the Big Four firms (and increase independence) include requiring firms to utilize a smaller (non-Big Four) firm to conduct part of the
audit and capping the number of companies in the FTSE Index a firm
could audit.
Sources: “Big Four Auditors Face New U.K. Calls to Break Apart,” The Wall
Street Journal Online, May 16, 2018 (online source); “U.K. Toughens Auditor
Rules,” The Wall Street Journal, December 19, 2018, p. B11; “U.K. Regulator
Orders Big Four to Separate Audit Practices by 2024,” The Wall Street Journal
Online, July 6, 2020 (online source); U.K. Mulls Capping Number of Audits Big
Four Firms Can Do,” The Wall Street Journal Online, March 18, 2021 (online
source).
6
Independent Consultant Finds Widespread Independence Violations at PricewaterhouseCoopers, SEC Press Release 2000–4,
Securities and Exchange Commission, January 6, 2000.
7
In the Matter of PricewaterhouseCoopers LLP, Respondent, SEC Accounting and Enforcement Release No. 4084, Securities and
Exchange Commission, September 23, 2019.
Chapter 2 Professional Standards 53
A second ethical requirement identified by the responsibilities principle is that of due
care. Due care (also known as due professional care) reflects a level of performance that
would be exercised by reasonable auditors in similar circumstances. This standard is often
referred to as that of a prudent auditor; auditors are expected to possess the skills and
knowledge of others in their profession but are not expected to be infallible. This aspect
relates to the competence and capabilities of the auditor to perform the engagement and
issue appropriate reports. One specific element of due care noted by the standards is the
need for auditors to plan and perform the audit with an appropriate level of professional
skepticism as discussed in the following section.
Professional Skepticism and Professional Judgment
Professional skepticism and professional judgment are necessary responsibilities of auditors throughout the entire audit process. Professional skepticism (which was introduced in
Chapter 1) is a state of mind that is characterized by appropriate questioning and a critical
assessment of audit evidence. When exhibiting professional skepticism, auditors do not
assume that management is dishonest, nor do they assume that management is unquestionably honest. Rather, auditors evaluate and consider
∙ Contradictory audit evidence obtained through different procedures.
∙ The reliability of documentary evidence.
∙ The reliability of information obtained from management and those charged with governance of the entity (e.g., the audit committee).
Although the preceding discussion suggests that professional skepticism is a relatively
straightforward concept, situations occur during the audit that could impede auditors’
ability to apply appropriate levels of professional skepticism. A PCAOB Staff Practice
Alert8 identified the following conditions that present challenges for auditors maintaining
appropriate levels of professional skepticism; these conditions may result in auditors failing to appropriately question, assess, evaluate evidence, and, ultimately, reach the correct
conclusion during their engagement:
∙ Financial incentives and pressures (such as building or maintaining a long-term audit
engagement, facing pressures to keep audit fees low, achieving high levels of client
satisfaction, and providing other fee-related services to clients).
∙ Time pressures (such as completing the audit and report prior to deadlines and scheduling and workload demands on partners and other audit team members).
∙ Personal relationships developed with clients that provide auditors with an inappropriate level of trust or confidence in management.
Professional judgment is the application of relevant training, knowledge, and experience in making informed decisions about appropriate courses of action during the audit
engagement. These judgments relate to the evidence obtained during the audit and the
conclusions reached based on this evidence. Auditors are required to demonstrate this
characteristic throughout the entire audit process as they do professional skepticism.
Professional judgment is required as auditors gather evidence, evaluate evidence, and
draw conclusions based on evidence. Professional judgment is particularly important in
evaluating the reasonableness of various management estimates required in preparing the
entity’s financial statements.
In addition to demonstrating appropriate levels of professional judgment, auditors are
required to carefully document their professional judgment in such a manner that experienced auditors with no previous relationship with the audit can understand the judgments
made in reaching conclusions on significant issues. The Auditing Insight “Madoff and
the Responsibilities Principle” illustrates some seemingly obvious questions that should
have been raised with respect to the professional responsibilities of Madoff’s auditor.
8
Maintaining and Applying Professional Skepticism in Audits, PCAOB Staff Audit Practice Alert No. 10, PCAOB, December 4, 2012.
54 Part One The Contemporary Auditing Environment
AUDITING INSIGHT
Madoff and the Responsibilities Principle
A preliminary investigation of the actions of David Friehling (the individual responsible for the audits of Bernard L. Madoff Investment
Securities LLC) illustrated the following potential violations of elements of the responsibilities principle:
•
Friehling did not verify the existence of assets or securities trades
made by Madoff’s company, suggesting a lack of professional
skepticism and a lack of due care.
•
•
Friehling was the sole auditor at Friehling and Horowitz, raising
the question as to whether a “one-man” firm has the capability to
effectively audit a company as large as Madoff’s.
Friehling and his family had investment accounts at Madoff’s company worth more than $14 million, a conflict of interest that raises
questions about his independence.
Source: “Accountant Arrested for Sham Audits,” The Wall Street Journal,
March 19, 2009, p. C1.
REVIEW CHECKPOINTS
2.5 Distinguish between independence in fact and independence in appearance. Can auditors be independent in fact yet not be perceived to be independent in appearance?
2.6 What is due care? To what standards are auditors held with respect to due care?
2.7 Define professional skepticism and professional judgment. During what stages of the audit are
auditors required to demonstrate these characteristics?
FUNDAMENTAL PRINCIPLE: PERFORMANCE
LO 2-3
Describe the fundamental
principle of performance
and identify the major
activities performed in an
audit.
The fundamental principle of performance sets forth general quality criteria for conducting an audit. As noted in the preceding section, in addition to the elements of this principle, the performance of the audit is influenced by the need for auditors to exercise
professional skepticism and professional judgment throughout the audit process. The performance principle states that
To express an opinion, the auditor obtains reasonable assurance
about whether the financial statements as a whole are free from
material misstatement, whether due to fraud or error. To obtain
reasonable assurance, which is a high but not absolute level of
assurance, the auditor
∙ Plans the work and properly supervises any assistants.
∙ Determines and applies appropriate materiality level or levels
throughout the audit.
∙ Identifies and assesses risks of material misstatement, whether
due to fraud or error, based on an understanding of the entity
and its environment, including the entity’s internal control.
∙ Obtains sufficient appropriate audit evidence about whether
material misstatements exist, through designing and implementing appropriate responses to the assessed risks.
Chapter 2 Professional Standards 55
An important concept underlying the performance principle noted above is that of reasonable assurance. Reasonable assurance recognizes that a GAAS audit may not detect all
material misstatements and auditors are not “insurers” or “guarantors” regarding the fairness of the entity’s financial statements. However, auditors should provide a high level of
assurance (or confidence) regarding their work. As the preceding reflects, the performance
principle contains four elements: (1) planning and supervision, (2) materiality, (3) risk
assessment, and (4) audit evidence. These are discussed in the remainder of this section.
Planning and Supervision
After obtaining or retaining the engagement, the next major stage of the audit is planning,
as shown in the following figure. The professional standards contain several considerations
for planning and supervising an audit. They are concerned with (1) preparing an audit
plan and supervising the audit work, (2) obtaining knowledge of the client’s business, and
(3) dealing with differences of opinion among the accounting firm’s own personnel.
STAGES OF AN AUDIT
Obtain
(or Retain)
Engagement
Engagement
Planning
Risk
Assessment
Audit
Evidence
Reporting
GAAS require the preparation of a written audit plan. An audit plan is a list of the
audit procedures that auditors need to perform to gather sufficient appropriate evidence
on which to base their opinion on the financial statements. The procedures in an audit
plan should be stated in enough detail to instruct the assistants about the work to be done.
(You will see detailed audit plans later in this textbook.)
Auditors are also required to obtain an understanding of the client’s business and
industry. This knowledge helps auditors identify areas for special attention (the accounts
or classes of transactions where frauds or errors might exist), evaluate the reasonableness of accounting estimates made by management, evaluate management’s responses
to inquiries, and make judgments about the appropriateness of management’s choices
among accounting principles. Auditors gain this understanding of a business through a
variety of methods, including
∙ Discussions with management and other client personnel.
∙ Experience with other entities in the same industry.
∙ Reviewing AICPA accounting and audit guides, industry publications, other entities’
financial statements, business periodicals, and textbooks.
Just as having advance notice of assignments and examinations makes it easier for
you (as a student) to perform better on those assignments, timing is important for audit
planning. To have time to plan an audit, auditors should be engaged before the client’s
fiscal year-end. The more advance notice auditors have, the better they are able to provide
enough time for planning. The audit team may be able to perform part of the audit at an
interim date—a date some weeks or months before year-end—and thereby make the rest
of the audit work more efficient. For example, in examining property, plant, and equipment, auditors may evaluate activity in the account balance up to some date during the
year (say, September 30) prior to year-end and then evaluate activity occurring between
that date and December 31 following year-end (the roll-forward period), as shown in the
following graphic. Essentially, at December 31, auditors have evaluated the account balance through the interim date (in this case, September 30) and will evaluate the remainder
56 Part One The Contemporary Auditing Environment
of the activity following year-end. Doing so permits audit work to be “shifted” from after
year-end to prior to year-end and allows the audit to be completed on a more timely basis.
January 1
December 31
Evaluate activity from January 1
through interim date
Evaluate activity from interim date
through December 31
Planning and interim work
Normal year-end work
The Auditing Insight “Too Late” illustrates how late appointment of an auditor may
result in the inability to appropriately plan the engagement.
AUDITING INSIGHT
•
Too Late
In its Form NT 10-K filing with the SEC, Digital Turbine Inc. disclosed that its multiple acquisitions and growing scale and global
profile had resulted in the appointment of a new accounting firm
(Grant Thornton) in March 2021, just prior to its March 31, 2021,
fiscal year-end. Because of the late appointment of Grant Thornton and its inability to plan and perform the audit on a timely basis,
the company was unable to meet the deadline for filing its financial statements with the SEC.
•
In an academic study, Cassell et al. found that later appointment of
auditors leads to a higher likelihood of future financial statement
restatements.
Sources: Digital Turbine Inc. Form NT 10-K (filed June 2, 2021); C. A. Cassell, J. C. Hansen, L. A. Myers, and T. A. Seidel, “Does the Timing of Auditor
Changes Affect Audit Quality,” Journal of Accounting, Auditing, & Finance,
35(2) 2020, pp. 263-289.
Engagement planning is discussed in greater detail in Chapter 3. In addition, planning
activities related to the audit of various accounts and cycles are discussed in Chapters 6,
7, 8, 9, and 10.
Materiality
The concept of materiality recognizes that auditors should focus on matters that are important to financial statement users. One common way of viewing materiality is the dollar
amount that would influence the lending or investing decisions of financial statement
users. Auditors and users do not expect account balances to be accurate to the penny;
after all, many entities round their financial statements to the thousands, or even millions,
of dollars! For example, Apple reported net income of $94.7 billion in 2021; clearly, a
misstatement of $1 million (0.001 percent of net income) would not likely affect users’
decisions, but a misstatement of $10 billion (10.6 percent of net income) probably would.
Materiality is recognized as part of the objective of an audit, which is “to obtain reasonable assurance about whether the financial statements as a whole are free of material
misstatement” [emphasis added] (AU-C 200.12). Materiality is commonly established
based on percentages of key financial statement subtotals, such as net income, sales or
revenues, and total assets.
The audit team considers materiality in planning the audit, performing the audit, and
evaluating the effect of misstatements on the entity’s financial statements. Auditors are
responsible only for providing reasonable assurance that misstatements material to the
entity’s financial statements are identified. Stated another way, auditors are not responsible for detecting misstatements that are not material to the financial statements.
Although the concept of materiality appears to be relatively straightforward, implementation of materiality during the audit requires high levels of professional judgment.
For example, suppose a small dollar misstatement (in absolute terms) resulted in an entity
meeting its earnings expectations or resulted in an entity reporting higher earnings than in
the previous year. Certainly, these impacts would likely influence investment decisions,
even if the dollar amount is relatively small. Circumstances such as these are referred to
Chapter 2 Professional Standards 57
as qualitative materiality factors and should also be considered by auditors. The role of
materiality in the planning stages of the audit is discussed in more detail in Chapter 3.
Risk Assessment
An important part of the performance principle is for auditors to identify important concerns (or risks) they face in the audit. This process is referred to as risk assessment
STAGES OF AN AUDIT
Obtain
(or Retain)
Engagement
Engagement
Planning
Risk
Assessment
Audit
Evidence
Reporting
The risk assessment process requires an understanding of the client, its operating environment, and its industry. This includes internal controls operating within the client’s
accounting information systems that ultimately produce the client’s financial statements.
Internal control over financial reporting (also referred to as internal control) may be defined as
the policies and procedures implemented by an entity to prevent or detect material accounting frauds or errors and provide for their correction on a timely basis. Satisfactory internal
control reduces the probability of frauds or errors in the accounts. This understanding provides the foundation for the work auditors do in assessing the risk of material misstatement,
a combination of inherent risk (the probability that a material misstatement, either an error
or fraud, will occur) and control risk (the probability that a material misstatement, either an
error or fraud, will not be prevented or detected on a timely basis by the entity’s internal
controls). One way to think of the risk of material misstatement is the likelihood that an
error or fraud will exist in the financial statements prior to considering the auditors’ work.
The primary purpose of assessing the risk of material misstatement is to help auditors
determine the nature, timing, and extent of further audit procedures necessary for gathering evidence about the fairness of the entity’s financial statements. The process of risk
assessment presumes two necessary relationships:
1. Effective internal control reduces control risk (and decreases the risk of material misstatement), and auditors thus have a reasonable basis for reducing the necessary effectiveness of further audit procedures.
2. Ineffective internal control increases control risk (and increases the risk of material
misstatement), and auditors must increase the necessary effectiveness of further audit
procedures.
Because these further audit procedures are used to obtain evidence with respect to the
fairness of the account balance (i.e., to “substantiate” the account balance), they are
referred to as substantive procedures. The auditors’ substantive procedures are reflected in
the determination of detection risk, which is discussed in the next section. A depiction of
this relationship follows:
Effective Internal Control
Lower Level of Control
Risk
Allows auditors to evaluate less
evidence and/or use less
effective substantive procedures
Ineffective Internal Control
Higher Level of Control
Risk
Requires auditors to evaluate more
evidence and/or use more
effective substantive procedures
58 Part One The Contemporary Auditing Environment
The importance of internal control in the audit examination is evidenced by an
increase in auditors’ responsibility for internal control in the audit of issuers such that
auditors evaluate (through testing the operating effectiveness of specific controls) and
report on the effectiveness of an issuer’s internal control over financial reporting. This
is one example of auditors’ responsibility in the audit of an issuer exceeding that for the
audit of a nonissuer. Internal control is discussed in more detail in Chapter 5; in addition,
important elements of internal control related to the audit of various accounts and cycles
are discussed in Chapters 6, 7, 8, 9, and 10.
REVIEW CHECKPOINTS
2.8 Define reasonable assurance. How does the audit team provide reasonable assurance in the
engagement?
2.9 What is an audit plan? During which stage of the audit is an audit plan prepared?
2.10 What is an interim date? How do audit procedures conducted prior to an interim date impact the
audit examination?
2.11 What is materiality? During what stages of the audit do auditors consider materiality?
2.12 For what reasons do auditors obtain an understanding of a client’s internal control?
2.13 What is the basic relationship between the effectiveness of the client’s internal control and the
necessary effectiveness of substantive procedures?
Audit Evidence
The final element of the performance principle requires that the audit team collects and
evaluates sufficient appropriate evidence to provide a reasonable basis for their opinion.
STAGES OF AN AUDIT
Obtain
(or Retain)
Engagement
Engagement
Planning
Risk
Assessment
Audit
Evidence
Reporting
Evidence is the information that auditors use in arriving at the conclusions on which
to base the audit opinion and includes the underlying accounting data and all available
corroborating information. Examples of evidence include minutes of meetings, confirmations with independent third parties, invoices, analyst reports, and all other information
that permits auditors to reach valid, logical conclusions. As noted, the methods auditors
use to gather and evaluate this evidence are referred to as substantive procedures, which
are performed following the auditors’ risk assessment process.
The performance principle requires auditors to gather “sufficient appropriate” evidence. To be considered appropriate, evidence must be trustworthy (reliable) and must
provide the audit team with information of interest (relevant). Professional standards note
the following with respect to the reliability of evidence:
∙ Evidence created by sources external to the entity is more reliable than that created by
the entity. From most to least reliable, sources of evidence are auditors (direct personal
knowledge), parties external to the entity (external evidence), and parties internal to
the entity (internal evidence).
Chapter 2 Professional Standards 59
∙ Evidence created by sources outside the entity is more reliable when received directly
from the external source (direct external evidence) than when received from sources
internal to the entity (external-internal evidence).
∙ Evidence obtained from entities with more effective internal controls is more reliable
than that obtained from entities with less effective internal controls.
∙ Evidence obtained from original source documents is more reliable than that obtained
from photocopies, facsimiles, or electronic documents. The Auditing Insight “Wirecard’s Cash” illustrates an example of the issues that may result from relying on nonoriginal documents.
AUDITING INSIGHT
Wirecard’s Cash
An affiliate of EY (Ernst & Young GmbH) relied upon scanned electronic copies of documentation from two Philippine banks to verify the
existence of € 1.9 billion ($2.1 billion) of cash in its audit of Wirecard
AG (a German-based fintech company). A request for subsequent
confirmation revealed that the electronic copies were fraudulent and
the banks never held any funds on behalf of Wirecard.
Source: “German Regulator Steps Down, EY Changes Leadership Following Wirecard Scandal,” The Wall Street Journal Online, February 25, 2021 (online source).
Relevance refers to the nature of information provided by the audit evidence; for
example, when auditors confirm accounts receivable with customers, this audit procedure
provides evidence that the account is legitimate (i.e., the sale actually took place) but
does not provide evidence that the account will ultimately be collectible. The nature of
information provided by evidence is operationalized through the management assertions
identified and discussed in Chapter 1.
Appropriateness relates to evidence quality, and sufficiency relates to evidence quantity. For large entities, auditors do not audit all of the transactions and components but
examine a sample of these items in drawing their conclusions. Sufficiency relates to the
number of transactions or components evaluated.
The sufficiency and appropriateness of evidence are reflected in the necessary level
of detection risk. Detection risk represents the risk that the audit team’s substantive procedures will fail to detect a material misstatement. As auditors require a higher quality
of evidence (lower detection risk), they must gather more relevant and reliable evidence
(appropriateness) and evaluate more transactions or components (sufficiency). Evidencegathering procedures are discussed in more detail in Chapter 3. In addition, specific
approaches to gathering evidence in the examination of various accounts and cycles are
discussed in Chapters 6, 7, 8, 9, and 10.
Exhibit 2.1 summarizes the key characteristics of evidence just discussed. Note that
the desired level of detection risk impacts the necessary sufficiency and appropriateness
of audit evidence. Also note that the appropriateness is affected by both the relevance of
the evidence and its reliability.
EXHIBIT 2.1 Key
Detection Risk
Characteristics of
Audit Evidence
Appropriateness (quality of evidence)
Relevance (What
does evidence tell
the auditor?)
Reliability (Can the
auditor trust the
evidence?)
Sufficiency (quantity of
evidence)
60 Part One The Contemporary Auditing Environment
REVIEW CHECKPOINTS
2.14 Define audit evidence.
2.15 Define external, external–internal, and internal documentary evidence.
2.16 Distinguish between relevance and reliability as these concepts relate to audit evidence. How are
relevance and reliability associated with the appropriateness of audit evidence?
2.17 How does the source of evidence affect its reliability?
2.18 How are the sufficiency and appropriateness of evidence related to detection risk?
FUNDAMENTAL PRINCIPLE: REPORTING
LO 2-4
Understand the fundamental
principle of reporting and
identify the basic contents of
the auditors’ report.
The ultimate objective of the audit—the report on the audit—is guided by the fundamental principle of reporting, which states
Based on evaluation of the evidence obtained, the auditor
expresses in the form of a written report, an opinion in accordance with the auditor’s findings, or states that an opinion
cannot be expressed. The opinion states whether the financial
statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework.
As the following graphic shows, reporting is the final stage of an audit and occurs following the gathering of audit evidence.
STAGES OF AN AUDIT
Obtain
(or Retain)
Engagement
Engagement
Planning
Risk
Assessment
Audit
Evidence
Reporting
An example of an auditors’ report is shown in Exhibit 2.2, and you should review it in
relation to the following discussion.
The report in Exhibit 2.2 is the report form used for issuers; differences in wording
exist, but the report for nonissuers conveys essentially the same information. You should
understand the term financial statements to include not only the traditional financial
statements, but also all footnote disclosures and additional information (e.g., earnings per
share calculations) that are integral elements of the basic financial presentation required
by GAAP.
The reporting principle requires the auditor to express an opinion on the entity’s financial statements (or indicate that an opinion cannot be expressed). With respect to this
requirement, the last sentence in the first paragraph of Deloitte & Touche’s report begins
with the phrase “In our opinion,” which represents the expression of an opinion.
Chapter 2 Professional Standards 61
EXHIBIT 2.2 Example Auditors’ Report for Issuer (Microsoft Corporation)
Report of Independent Registered Public Accounting Firm
The Board of Directors and Shareholders of Microsoft Corporation
Opinion on the Financial Statements
We have audited the accompanying consolidated balance sheets of Microsoft Corporation and subsidiaries (the “Company”) as of June 30,
2021 and 2020, the related consolidated statements of income, comprehensive income, stockholders’ equity, and cash flows, for each of the
three years in the period ended June 30, 2021, and the related notes (collectively referred to as the “financial statements”). In our opinion,
the financial statements present fairly, in all material respects, the financial position of the Company as of June 30, 2021 and 2020, and
the results of its operations and its cash flows for each of the three years in the period ended June 30, 2021, in conformity with accounting
principles generally accepted in the United States of America.
We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”),
the Company’s internal control over financial reporting as of June 30, 2021, based on criteria established in Internal Control—Integrated
Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission and our report dated July 29, 2021,
expressed an unqualified opinion on the Company’s internal control over financial reporting.
Basis for Opinion
These financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’s
financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent
with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and
Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to
obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our
audits included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or
fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding
the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant
estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that our audits provide
a reasonable basis for our opinion.
Critical Audit Matters
The critical audit matters communicated below are matters arising from the current-period audit of the financial statements that were
communicated or required to be communicated to the Company’s Audit Committee and that: (1) relate to accounts or disclosures that are
material to the financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of
critical audit matters does not alter in any way our opinion on the financial statements, taken as a whole, and we are not, by communicating
the critical audit matters below, providing separate opinions on the critical audit matters or on the accounts or disclosures to which they
relate.
[Auditors’ report provided description and method of addressing Critical Audit Matters related to Revenue Recognition and Uncertain Tax
Positions Related to Transfer Pricing Issues]
DELOITTE & TOUCHE LLP
Seattle, Washington
July 29, 2021
We have served as the Company’s auditor since 1983
In expressing this opinion, the auditor is required to assess the financial statements
against an applicable financial reporting framework. A financial reporting framework is a
set of criteria used to determine the measurement, recognition, presentation, and disclosure of material items in the financial statements; three examples of financial reporting
frameworks are GAAP, International Financial Reporting Standards (IFRS), or a special
purpose framework (such as cash or tax basis). Again, referring to Deloitte & Touche’s
report in Exhibit 2.2, the first paragraph concludes that Microsoft’s financial statements
present its financial condition, results of operations, and cash flows “. . . in conformity
with accounting principles generally accepted in the United States of America” (GAAP).
In this case, GAAP are the applicable financial accounting framework.
The report in Exhibit 2.2 is an example of an unmodified (or unqualified) opinion,
which concludes that the entity’s (in this case, Microsoft’s) financial statements present
62 Part One The Contemporary Auditing Environment
its financial condition, results of operations, and cash flows in conformity with GAAP.9
Other types of opinions that can be expressed include the following:
∙ An adverse opinion concludes that the entity’s financial statements are not presented
in conformity with GAAP (or other financial reporting framework such as IFRS).
∙ A qualified opinion concludes that except for a relatively isolated (usually limited)
departure, the entity’s financial statements are presented in conformity with GAAP (or
other financial reporting framework, such as IFRS).
∙ In some cases (e.g., if the auditors lack independence), auditors may choose not to
express an opinion on the entity’s financial statements. This type of report is referred
to as a disclaimer of opinion. (A disclaimer of opinion is an indication that an opinion
cannot be expressed.)
When these situations are encountered, auditors add an explanatory paragraph to their
report and would then modify some of the paragraphs of the report shown in Exhibit 2.2.
These and other report modifications are discussed further in Chapter 12.
One important phrase in the first paragraph is “in all material respects. . . .” The concept of materiality has been discussed previously as part of the performance principle;
used in a reporting context, it communicates that the audit team is unaware of any material misstatements in the financial statements. The choice of report (unqualified, qualified, or adverse) depends on the nature and materiality (significance) of the effect of the
GAAP departure.
The first paragraph of the report shown in Exhibit 2.2 expresses the auditors’ conclusion on the fairness of Microsoft’s financial statements. The second paragraph of
this report references a report on Microsoft’s internal control over financial reporting.
This report is also presented along with Microsoft’s financial statements and expresses
the auditors’ conclusion regarding the effectiveness of Microsoft’s internal control over
financial reporting. Audit reporting is discussed in greater detail in Chapter 12.
REVIEW CHECKPOINTS
2.19 What is a financial reporting framework? How is it related to the auditors’ reporting
responsibilities?
2.20 What are the four types of audit opinions? What is the conclusion of each one?
EVALUATING THE QUALITY OF PUBLIC ACCOUNTING FIRMS’
PRACTICES
LO 2-5
Understand the role of a
system of quality control
and monitoring efforts in
enabling public accounting
firms to meet appropriate
levels of professional
quality.
To this point in the chapter, we have discussed the professional standards related to audit
engagements. Many organizations are interested in ensuring that public accounting firms
meet these engagement standards and maintain high levels of quality in their practices.
For example, the SEC provides general oversight of the accounting and auditing professions, investigates audit failures (situations in which auditors fail to detect material
financial statement misstatements), and levies fines against firms that have been found
negligent in conducting audits. In addition, the PCAOB inspects the work of audit firms
to ensure that their audits comply with professional standards.10
However, one important issue that has not been addressed is the nature of actions that
firms themselves routinely take to ensure that their work is of high quality and meets the
9
The term unmodified is used to refer to opinions for nonissuers; unqualified is used to refer to opinions for issuers.
Firms auditing only nonpublic entities undergo a peer review process conducted by the AlCPA’s National Peer Review
Committee.
10
Chapter 2 Professional Standards 63
professional standards discussed in this chapter. For example, how do firms ensure that
the personnel assigned to engagements are independent with respect to the client and
have the appropriate level of competence to handle the assignment? What process do
firms use when deciding either to accept or continue an audit engagement? The answers
to these and other questions are reflected in policies and procedures that firms implement
as part of a system of quality control, which is the focus of this section.
System of Quality Control12
The AICPA has issued professional guidance for firms with respect to quality control,
known as quality control standards (designed by the abbreviation QC). Most of these same
standards have also been adopted by the PCAOB for audits of issuers, who are also required
to comply with additional standards issued by the AICPA related to SEC clients. The
PCAOB has issued a recent concept release that would create its own quality control standards, which include the elements of a quality control system discussed in this section.11
Professional standards (QM 10.15) note that the purpose of a system of quality control is
to provide the firm reasonable assurance that the firm and its personnel
∙ Comply with professional standards and applicable regulatory and legal requirements.
∙ Issue reports that are appropriate in the circumstances.
Simply stated, a system of quality control is implemented by firms to ensure that their
work is of high quality and meets the expectations of professional standards. Professional
standards identify six elements of a system of quality control.
1. Leadership responsibilities for quality within the firm (“tone at the top”).
Undoubtedly, you have heard the phrase “leadership by example.” In order for quality
control standards to be effective, it is important that the firm’s management take a lead
role in clearly and consistently demonstrating its own commitment to quality control
and high-quality work. Doing so will make it clear to all personnel that high-quality
work is valued and will be rewarded. Some examples of how this can be done include
∙ A
ssigning management responsibilities in such a manner that financial considerations do not override the quality of work performed.
∙ Basing performance evaluation, compensation, and promotion opportunities for
personnel on the quality of work performed.
∙ Devoting sufficient resources for developing, communicating, and supporting the
firm’s quality control policies and procedures.
It may seem unusual to specify that personnel decisions should be based on the quality of work performed. After all, what other basis should be used? Both the Enron and
WorldCom cases provided anecdotal evidence that suggested the fear of losing a key
client (and the financial impact of that loss on individual auditors’ performance evaluations and opportunities within the firm) contributed to the audit failures in those cases.
2. Relevant ethical requirements. Earlier in this chapter, we discussed independence
and the importance of independence to the auditing profession. Firms should take various actions to ensure that personnel assigned to engagements are both independent in
fact and independent in appearance with respect to the firm’s clients, such as
∙ Communicating independence requirements to personnel.
∙ Identifying circumstances and relationships that create threats to independence and taking appropriate action to eliminate those threats or reduce them to an acceptable level.
11
The proposed PCAOB standards would use slightly different terminology than the AICPA standards and include elements
related to the firm’s risk assessment process and information and communication within the firm. See PCAOB Concept Release:
Potential Approach to Revisions to PCAOB Quality Control Standards, Release No. 2019-003, PCAOB, December 17, 2019.
12
The AICPA recently issued a new standard that adds elements for the firm’s risk assessment process and information and communication. In addition, the term “quality control” has been replaced with “quality management”.
64 Part One The Contemporary Auditing Environment
∙ O
btaining written confirmation from all firm personnel with respect to their compliance with appropriate independence requirements.
3. Acceptance and continuance of client relationships and specific engagements. As
discussed in Chapter 3, one of the most important decisions facing an audit firm is that
of accepting an engagement (for a new client) or continuing to perform an engagement
(for an existing client). When making this decision, firms should focus on three important issues:
∙ The integrity and business reputation of the client.
∙ The firm’s ability to adequately perform the engagement with an appropriate level
of professional competence.
∙ The firm’s ability to comply with legal and ethical requirements related to the
engagement.
The purpose of this process is to avoid association with a client whose management
lacks integrity and to ensure that the firm can perform the engagement at an appropriate level.
In some cases, firms may accept an engagement but later learn that they are unable
to appropriately perform the engagement in accordance with professional responsibilities. If firms decide to withdraw from an engagement after considering the preceding
matters, professional standards note that the firm should document significant issues,
consultations, conclusions, and the basis for any conclusions related to its decision to
withdraw.
4. Human resources. The quality of any professional services organization (such as an
audit firm) is based on the quality of its people. Effective quality control policies and
procedures should be implemented to ensure that firms
∙
∙
∙
∙
Hire quality personnel.
Assign staff to engagements based on their capabilities.
Provide professional development opportunities to staff.
Effectively evaluate, compensate, and promote staff.
The above practices will increase the likelihood that a high-quality audit is conducted by ensuring that the firm has high-quality staff and that these individuals have
the ability to assume the responsibilities assigned to them.
5. Engagement performance. The performance principle (discussed earlier in this chapter) addressed a number of significant issues related to the conduct of an audit engagement. Firms frequently use manuals and other standardized forms of documentation to
meet the preceding objectives.
An important element of quality control is the practice of conducting engagement
quality control reviews for engagements meeting specified criteria identified by the firm
(e.g., engagements in a highly volatile industry or engagements that meet certain risk
criteria). An engagement quality control review includes an internal evaluation of the
significant judgments made by the audit team and the conclusions reached in formulating its report.
6. Monitoring. The purpose of monitoring is to provide the firm with reasonable assurance that policies and procedures composing the system of quality control are operating effectively and complied with in practice. Examples of procedures used to monitor
quality control include
∙ Reviews of selected administrative and personnel records.
∙ Reviews of engagement documentation, reports, and the client’s financial
statements.
∙ Discussions with firm personnel.
∙ Assessments of the (1) appropriateness of the firm’s guidance materials and professional aids, (2) compliance with policies and procedures on independence,
Chapter 2 Professional Standards 65
(3) effectiveness of continuing professional education, and (4) decisions regarding
the acceptance and continuance of client relationships and specific engagements.
Firms may accomplish these monitoring activities through either an ongoing postissuance review of engagement documentation or targeted inspection procedures for a
sample of engagements conducted by the firm.
PCAOB Inspection of Firms
Earlier in this chapter, we addressed the role of the PCAOB in establishing auditing standards. In addition to this role, the PCAOB is charged with monitoring the quality of work
performed by firms auditing issuers and bringing appropriate action against those firms
if substandard work is identified. This monitoring is referred to as an inspection13 and is
conducted as follows:
∙ For firms performing audits of more than 100 issuers, inspections are conducted on an
annual basis.
∙ For firms performing audits of 100 or fewer issuers, inspections are conducted at least
every three years.
Based on information from the PCAOB’s website, more than 1,700 accounting firms
are registered with the PCAOB. As of January 1, 2022, 484 of these firms issue audit
reports but only 11 were required to have annual inspections because they conducted
audits for more than 100 companies.
Inspections are conducted by full-time employees of the PCAOB. These inspections
consist of a review of a sample of audit engagements conducted by the firm as well as an
overall evaluation of the firm’s system of quality control (policies related to audit performance, training, compliance with independence requirements, and client management).
Copies of the PCAOB’s inspection reports can be found (on a firm-by-firm basis) on the
PCAOB’s website. These reports detail the deficiencies identified by the PCAOB on the
sample of audit engagements (the name of the client is not identified); information regarding deficiencies in the firm’s quality control are not publicly disclosed and will be disclosed
only if the firm fails to address those deficiencies within a year following the inspection.
The importance of these inspections are evidenced by a recent scandal involving
KPMG noted in the Auditing Insight “Stealing the Exam.”
AUDITING INSIGHT
Stealing the Exam
A PCAOB employee (who was hoping to join KPMG) leaked confidential information related to planned PCAOB inspections to executives
at KPMG, which would allow the firm to prepare for the inspections
and receive more favorable reports. In the two years preceding the
leak, KPMG had the highest percentage of inspected audits found
to be deficient among the Big Four firms (38% and 54% in 2016 and
2015, respectively). In April 2017, KPMG terminated five executives
(including the national managing partner for audit quality and professional practice, the national partner in charge for inspections, and the
co-leader of the Banking and Capital Markets Group) for their roles in
this scandal.
On June 18, 2019, KPMG agreed to a $50 million settlement
with the SEC related to this matter. Six individuals (the five KPMG
executives and the PCAOB employee) have been charged with conspiracy and wire fraud for their roles in this scheme. Three of the six
individuals received prison sentences (ranging from eight months to
366 days), one received six months home confinement, one received
13
two years supervised release, and one three years probation. In April
2022, the PCAOB announced a monetary fine of $100,000 against
Scott Marcello, KPMG’s former vice chair of audit, which is the largest
monetary fine ever imposed on an individual.
Ironically, PCAOB inspections of KPMG audits following the revelation of this scheme found deficiencies in nearly 50% of the audits
inspected.
Sources: “KPMG Fires Partners Over Leak,” The Wall Street Journal, April 12,
2017, p. B1; “KPMG Ex-Partner Convicted in Scheme to Steal Information,” The
Wall Street Journal, March 12, 2019, p. B3; “KPMG to Pay Penalty Over Cheating Scandal,” The Wall Street Journal, June 18, 2019, p. B1-B2; “Auditor Sentenced in KPMG Case,” The Wall Street Journal, September 12, 2019, p. B10;
“Another Former KPMG Executive Pleads Guilty in ‘Steal the Exam’ Scheme,”
Wall Street Journal Online, October 4, 2019 (online source); “Status of Players
in KPMG Fiasco from Leaked PCAOB Inspection Lists,” (online source); PCAOB
Sanctions Former KPMG Vice Chair of Audit for Failure Reasonably to Supervise, Imposing Largest Individual Penalty Ever in a Settled Proceeding, PCAOB,
April 5, 2022 (online source).
The AICPA has a similar type of process (referred to as peer review) for firms auditing nonissuers.
66 Part One The Contemporary Auditing Environment
The PCAOB Inspection Focus “Grading the Firms” provides a summary of reported
deficiencies for audits conducted by Big Four firms.
PCAOB INSPECTION
FOCUS
Number of
Audits
Inspected
Year
Grading the Firms
Audits in Which
Deficiencies Were
Identified
Number of
Deficiencies
Identified
Audits in Which
Departure
from GAAP Not
Identified by Firms
Audits in Which
Report on Internal
Control Was
Revised
2021 reports (2020 audits)
210
25
81
0
0
2020 reports (2019 audits)
236
52
211
2
8
2019 reports (2018 audits)
213
53
185
0
4
2018 reports (2017 audits)
217
67
138
0
2
2017 reports (2016 audits)
217
61
129
1
6
•
Overall, these results indicate the following:
•
•
24% of all inspected audits had deficiencies
For audits having deficiencies, the average number of deficiencies
per audit was 2.9
0.3% and 1.8% of all inspected audits failed to identify a departure
from GAAP or modify the opinion on internal control over financial
reporting, respectively.
Source: Data from Inspection Reports obtained through PCAOB website
The very public nature of the PCAOB inspection process and controversies surrounding that process raise the question as to whether inspection reports measure audit quality
and are useful to various parties in their decision processes. Recently, amid increasing
complaints that the PCAOB had become more focused on protecting auditors rather than
investors, the SEC voted to remove PCAOB Chair William Duhnke and replace the entire
five-member board. Under the new leadership, the PCAOB is expected to provide greater
transparency around its inspections, increase the scrutiny of audit firms, and more fully
engage with investors.14
The Auditing Insight “Academic Research on PCAOB Inspections” summarizes academic research that examined how the inspection process and results influence the behavior of both audit firms and their clients. The PCAOB has indicated that it is considering
shifting the focus of its investigations from evaluating audit deficiencies to assessing the
firms’ systems of quality control.15
AUDITING INSIGHT
•
Academic Research on PCAOB Inspections
Lamoreaux found that audit firms subject to PCAOB inspections
conducted higher quality audits (as measured by a greater incidence of issuing going-concern opinions and reporting material
weaknesses in internal control and lower client earnings management activities).
•
Aobdia found that audits with PCAOB report deficiencies had an
increase in total audit hours in the following year. In addition, companies whose audits had PCAOB report deficiencies were more
likely to switch auditors, while those without deficiencies were
less likely to switch auditors compared to noninspected audits.
(continued)
14
“SEC Overhauls Auditor Watchdog,” The Wall Street Journal, July 9, 2021, p. B1, B9; “Overhauled Auditing Watchdog Expected
to Boost Industry Scrutiny and Focus on Investors,” The Wall Street Journal Online, November 11, 2021 (online source).
15
“Auditing the Auditors: U.S. Rethinks Approach,” The Wall Street Journal Online, May 6, 2016 (online source).
Chapter 2 Professional Standards 67
AUDITING INSIGHT
•
•
•
(concluded)
Abbott and Buslepp found that triennially inspected firms anticipated upcoming PCAOB inspections by expending additional audit
effort in inspection years, resulting in higher quality audits.
Christensen et al. found that firms receiving PCAOB inspection
reports with audit deficiencies were more likely to be subject to
subsequent litigation, indicating that inspection reports provide
negative information about overall audit quality.
Khurana et al. found that initial PCAOB inspections (beginning in
2003) resulted in the greatest improvement in audit quality for
Big 4 firms, followed by triennially inspected non-Big 4 firms, then
annually inspected non-Big 4 firms.
Sources: P. T. Lamoreaux, “Does PCAOB Inspection Access Improve Audit
Quality? An Examination of Foreign Firms Listed in the United States,” Journal
of Accounting and Economics, April–May 2016, pp. 313–337; D. Aobdia, “The
Impact of the PCAOB Individual Engagement Inspection Process–Preliminary
Evidence,” The Accounting Review, July 2018, pp. 53-80; L. J. Abbott and W.
L. Buslepp, “The Impact of the PCAOB Triennial Inspection Process on Inspection Year and Non-Inspection Year Audits,” Auditing: A Journal of Practice
& Theory, May 2021, pp. 1-21; B. E. Christensen, N. G. Lundstrom, and N. J.
Newton, “Does the Disclosure of PCAOB Inspection Findings Increase Audit
Firms’ Litigation Exposure?,” The Accounting Review, May 2021, pp. 191-219;
I. K. Khurana, N. G. Lundstrom, and K. K. Raman, “PCAOB Inspection and the
Differential Audit Quality Effect for Big 4 and Non-Big 4 US Auditors,” Contemporary Accounting Research, Spring 2021, pp. 376-411.
REVIEW CHECKPOINTS
2.21 What is a system of quality control? Identify the six elements of a system of quality control.
2.22 What factors should auditors consider in deciding whether to accept or continue the engagement
with a particular client? What should firms do if they decide to withdraw from an engagement?
2.23 Provide examples of procedures that firms have used to monitor their quality control policies and
procedures.
2.24 What role does the PCAOB play in connection with monitoring and regulating public accounting
firms?
2.25 How frequently are firms required to have PCAOB inspections?
Summary
This chapter discussed the professional standards that apply to audit engagements and
identified important mechanisms that enable public accounting firms to provide professional services to meet those standards. From an auditing standpoint, generally accepted
auditing standards form the basis for professional engagements and the necessary qualifications and characteristics of auditors. These standards are based on three basic principles, which reflect the overall conduct of the audit examination:
1. Responsibilities, which require auditors to possess competence and capabilities, comply with relevant ethical requirements, maintain professional skepticism, and exercise
professional judgment.
2. Performance, which involves planning the work and supervising assistants, determining and applying appropriate materiality levels, identifying and assessing the risk of
material misstatement, and obtaining sufficient appropriate audit evidence.
3. Reporting, which requires that auditors express an opinion about the fairness of the
entity’s financial statements.
To provide reasonable assurance of compliance with these standards, firms develop
systems of quality control that prescribe policies and procedures related to
∙ The responsibilities of firm leadership for quality.
∙ Ethical requirements.
∙ Acceptance and continuance of client relationships and specific engagements.
68 Part One The Contemporary Auditing Environment
∙ Human resources.
∙ Engagement performance.
∙ Monitoring the effectiveness of the system of quality control.
Under Sarbanes–Oxley, firms conducting audits of issuers are required to have inspections of selected engagements and their systems of quality control by the PCAOB. The
purpose of these inspections is to identify deficiencies in engagements conducted by the
firms and provide suggestions for improvements in their systems of quality control.
Following is a summary of the professional standards and monitoring activities for
audits of issuers and nonissuers.
Professional Standards
Monitoring Requirements
Issuer
Auditing Standards issued by the PCAOB
Annual or triennial inspections conducted by the PCAOB
(frequency depends upon number of audits performed
by the firm)
Nonissuer
Statements on Auditing Standards issued
by the ASB of the AICPA
Triennial peer reviews conducted through the AICPA
National Peer Review Committee
Key Terms
American Institute of Certified Public Accountants (AICPA): As related to professional
auditing standards, the body charged with establishing auditing standards for the audits of ­
non-issuers through Statements on Auditing Standards (SASs) issued by the Auditing Standards
Board, 46
appropriate (audit evidence): Characteristics related to the quality (relevance and reliability) of
audit evidence, 58
audit plan: A comprehensive list of the specific audit procedures that the audit team needs to
perform to gather sufficient appropriate evidence on which to base their opinion on the financial
statements, 55
audit procedures: The specialized actions auditors take to obtain evidence in an
engagement, 49
auditing standards: The audit quality guides that apply to all audits, 49
control risk: The likelihood that the client’s internal control policies and procedures fail to
prevent or detect a material misstatement, 57
detection risk: The likelihood that the auditors’ substantive procedures will fail to detect a
material misstatement that exists within an account balance or class of transactions, 59
due care: A level of performance that would be exercised by reasonable auditors in similar
circumstances, 53
engagement quality control review: An internal evaluation of the significant judgments made
by the audit team and the conclusions reached in formulating its report on an engagement
conducted by that firm, 64
evidence: The information used by auditors in arriving at the conclusion on which the audit
opinion is based, which includes the underlying accounting data and all available corroborating
information, 58
financial reporting framework: The financial reporting standards (i.e., GAAP, IFRS, etc.)
adopted by management and, when appropriate, those charged with governance (audit committee
board of directors) in the preparation of the financial statements, 61
generally accepted auditing standards (GAAS): Standards that identify necessary
qualifications and characteristics of auditors and guide the conduct of the audit examination, 48
Chapter 2 Professional Standards 69
independence in appearance: The extent to which others (particularly financial statement users)
perceive auditors to be independent, 51
independence in fact: Auditors’ mental attitude and impartiality with respect to the client, 51
inherent risk: The probability that in the absence of internal controls, material errors or frauds
could enter the accounting system used to develop financial statements, 57
inspection: An evaluation of an accounting firm’s audit engagements and system of quality
control conducted by the PCAOB and required for any firms providing auditing services to
issuers, 65
internal control over financial reporting: Policies and procedures implemented by an entity to
prevent or detect material accounting frauds or errors and provide for their correction on a timely
basis, 57
issuer: An entity that offers registered securities, such as stocks and bonds, for sale to the general
public (also known as a public entity). Issuers are subject to mandatory audit requirements, 46
materiality: An amount or event that has a substantial likelihood to influence financial statement
users’ decisions, 56
professional judgment: The application of relevant training, knowledge, and experience in
making informed decisions about appropriate courses of action during the audit engagement, 53
professional skepticism: A state of mind that is characterized by appropriate questioning and a
critical assessment of audit evidence, 53
Public Company Accounting Oversight Board (PCAOB): As related to professional auditing
standards, the body charged with establishing auditing standards for the audits of public entities
through the issuance of Auditing Standards. The PCAOB is also responsible for inspecting firms
that perform audits of issuers, 46
reasonable assurance: The concept that recognizes that the costs of control activities should not
exceed the benefits that are expected from the control activities, 55
risk of material misstatement: The combined probability that a material misstatement (error
or fraud) will occur and not be prevented or detected on a timely basis by the entity’s internal
controls. The risk of material misstatement is a combination of inherent and control risk, 57
substantive procedures: The detailed audit and analytical procedures designed to detect material
misstatements in account balances and footnote disclosures, 57
sufficiency (audit evidence): The measure of the quantity of audit evidence (the number of
transactions or components evaluated), 59
system of quality control: The policies and procedures implemented by a firm to provide with
reasonable assurance that the firm and its personnel (1) comply with professional standards and
applicable regulatory and legal requirements and (2) issue reports that are appropriate in the
circumstances, 63
Multiple-Choice
Questions for
Practice and
Review
All applicable questions are available
with Connect.
LO 2-3
2.26 Which of the following categories of principles is most closely related to gathering audit
evidence?
a. Performance
b. Reasonable assurance
c. Reporting
d. Responsibilities
LO 2-2
2.27 Which of the following is not related to ethical requirements of auditors?
a. Due care
b. Independence in appearance
c. Independence in fact
d. Professional judgment
70 Part One The Contemporary Auditing Environment
LO 2-5
2.28 One of an accounting firm’s basic objectives is to provide professional services that conform to professional standards. Reasonable assurance of achieving this objective can be
obtained by following
a. Generally accepted auditing standards.
b. Standards within a system of quality control.
c. Generally accepted accounting principles.
d. International auditing standards.
LO 2-2
2.29 Which of the following best demonstrates the concept of professional skepticism?
a. Relying more extensively on external evidence rather than internal evidence.
b. Focusing on items that have a more significant quantitative effect on the entity’s financial statements.
c. Critically assessing verbal evidence received from the entity’s management.
d. Evaluating potential financial interests held by auditors in the client.
LO 2-3
2.30 The primary purpose for obtaining an understanding of the entity’s environment (including
its internal control) in a financial statement audit is
a. To determine the nature, timing, and extent of substantive procedures to be performed.
b. To make consulting suggestions to the entity’s management.
c. To obtain sufficient appropriate audit evidence to afford a reasonable basis for an opinion on the financial statements.
d. To determine whether the entity has changed any accounting principles.
LO 2-3
2.31 Ordinarily, what source of evidence should least affect audit conclusions?
a. External documentary evidence.
b. Inquiry of management.
c. Documentation prepared by the audit team.
d. Inquiry of entity legal counsel.
LO 2-3
2.32 The most reliable evidence regarding the existence of newly acquired computer equipment is
a. Inquiry of management.
b. Documentation prepared externally.
c. Evaluation of the client’s procedures.
d. Physical observation.
LO 2-3
2.33 Which of the following procedures would provide the most reliable audit evidence?
a. Inquiries of the client’s internal audit staff.
b. Inspection of prenumbered client purchase orders filed in the vouchers payable
department.
c. Inspection of vendor sales invoices received from client personnel.
d. Inspection of bank statements obtained directly from the client’s financial institution.
LO 2-3
2.34 Breaux & Co. CPAs require that all audit documentation indicates the identity of the preparer and the reviewer. This procedure provides evidence relating to which of the following?
a. Independence.
b. Adequate competence and capabilities.
c. Adequate planning and supervision.
d. Sufficient appropriate evidence gathered.
LO 2-2
2.35 Which of the following concepts is least related to the standard of due care?
a. Independence in fact
b. Professional skepticism
c. Prudent auditor
d. Reasonable assurance
LO 2-3
2.36 The evidence considered most appropriate by auditors is best described as
a. Internal documents such as sales invoice copies produced under conditions of strong
internal control.
b. Written representations made by the president of the entity.
Chapter 2 Professional Standards 71
c. Documentary evidence obtained directly from independent external sources.
d. Direct personal knowledge obtained through physical observation and mathematical
recalculation.
LO 2-3
2.37 Auditors’ understanding of the internal control in an entity provides information for
a. Determining whether members of the audit team have the required competence and
capabilities to perform the audit.
b. Ascertaining the independence in mental attitude of members of the audit team.
c. Planning the professional development courses the audit staff needs to keep up to date
with new auditing standards.
d. Planning the nature, timing, and extent of substantive procedures on an audit.
LO 2-5
2.38 Which of the following elements of a system of quality control is related to firms receiving
independence confirmations from its professionals with respect to clients?
a. Acceptance and continuance of client relationships and specific engagements.
b. Engagement performance.
c. Monitoring.
d. Relevant ethical requirements.
LO 2-2
2.39 Which of the following is most closely related to the responsibilities principle?
a. The auditors’ responsibility to issue a report as a result of their examination.
b. The requirement that auditors gather sufficient, appropriate evidence upon which to
base an opinion on the financial statements.
c. The auditors’ compliance with relevant ethical requirements of independence and due care.
d. The auditors’ responsibility to plan the audit and properly supervise assistants.
LO 2-2
2.40 Kramer, CPA, consulted an independent appraiser regarding the valuation of fine art for a
not-for-profit museum. Consultation with the appraiser in this case would
a. Be considered as exercising proper due care.
b. Be considered a failure to follow generally accepted auditing standards because Kramer
should have known how to value fine art before accepting the engagement.
c. Not be considered a violation of generally accepted auditing standards because generally accepted auditing standards does not apply to not-for-profit entities.
d. None of the above.
LO 2-4
2.41 Which of the following topics is not addressed in the auditors’ report for an issuer?
a. Responsibilities of the auditor and management in the financial reporting process.
b. Absolute assurance regarding the fairness of the entity’s financial statements in accordance with GAAP.
c. A description of an audit engagement.
d. A summary of the auditors’ opinion on the effectiveness of the entity’s internal control
over financial reporting.
LO 2-3
2.42 Which of the following recognizes that an audit conducted under generally accepted auditing standards may not detect all material misstatements?
a. Absolute assurance
b. Professional judgment
c. Reliability of audit evidence
d. Reasonable assurance
LO 2-3
2.43 Which of the following combinations would provide the auditor the most reliable evidence?
Source of Evidence
Effectiveness of Internal Control
a. Internal
More effective
b. Internal
Less effective
c. External
More effective
d. External
Less effective
72 Part One The Contemporary Auditing Environment
LO 2-3
2.44 Which of the following is most closely related to the relevance of audit evidence?
a. Auditors decide to physically inspect investment securities held by a custodian instead
of obtaining confirmations from the custodian.
b. In addition to confirmations of accounts receivable, auditors perform an analysis of the
aging of accounts receivable to evaluate the collectability of accounts receivable.
c. In response to less effective internal control, auditors increase the number of customer
accounts receivable confirmations mailed compared to that in the prior year.
d. Because of a large number of transactions occurring near year-end, auditors decide to
confirm a larger number of receivables following year-end instead of during the interim
period.
LO 2-3
2.45 Which of the following statements is not true with respect to the performance principle?
a. Auditors are required to prepare a written audit plan during the planning stages of initial
audits but are not required to do so in continuing audits.
b. Audit teams consider materiality in planning the audit, performing the audit, and evaluating the effect of misstatements on the entity’s financial statements.
c. In assessing the risk of material misstatements, the audit team considers the effectiveness of the entity’s internal controls in preventing and detecting misstatements.
d. Auditors are required to consider both the relevance and the reliability of evidence in
evaluating whether the evidence they have gathered is appropriate.
LO 2-5
2.46 Which of the following is true with respect to PCAOB inspections of accounting firms?
a. All firms performing audits of issuers are required to have annual inspections conducted
by the PCAOB.
b. PCAOB inspections review a sample of audits conducted by firms as well as the firm’s
systems of quality control.
c. All results of PCAOB inspections are made available to the public following the inspection.
d. Firms performing audits of 100 or fewer issuers may elect to have a peer review conducted through the AICPA in lieu of a PCAOB inspection.
LO 2-1
2.47 The particular and specialized actions that auditors take to obtain evidence during a specific
engagement are known as
a. Audit procedures.
b. Audit standards.
c. Interpretive publications.
d. Statements on Auditing Standards.
LO 2-1
2.48 Which of the following combinations of standards and types of audits are most closely
related to the activities of the Public Company Accounting Oversight Board?
a. Develop Auditing Standards for the audits of nonissuers.
b. Develop Auditing Standards for the audits of issuers.
c. Develop Statements on Auditing Standards for the audits of nonissuers.
d. Develop Statements on Auditing Standards for the audits of issuers.
LO 2-4
2.49 Which of the following best describes the general contents of the first paragraph of the
“Basis for Opinion” section of the auditors’ report?
a. A description of an audit examination, including the fact that the audit was conducted
under standards established by the PCAOB.
b. The auditors’ conclusion with respect to the fairness of the entity’s financial statements.
c. Statements identifying the responsibility of auditors and management in the financial
reporting process.
d. The auditors’ conclusion with respect to the effectiveness of the entity’s internal control
over financial reporting.
LO 2-4
2.50 Which of the following opinions would be issued if auditors believed that the entity’s financial statements were not presented in conformity with GAAP?
a. Adverse opinion
b. Disclaimer of opinion
Chapter 2 Professional Standards 73
c. Qualified opinion
d. Unmodified opinion
LO 2-4
2.51 Which of the following principles is most closely associated with the auditors’ conclusion as
to the fair presentation of the entity’s financial statements?
a. Communication principle
b. Performance principle
c. Reporting principle
d. Responsibilities principle
Exercises and
Problems
LO 2-1, 2-5
All applicable questions are available
with Connect.
2.52 AICPA and PCAOB Responsibilities. The creation of the PCAOB by the Sarbanes–Oxley
Act has affected both the standards-setting process and the periodic review of the quality of
an audit firm’s work.
Required:
a. Identify the responsibilities of the AICPA, PCAOB, and SEC in the auditing standardssetting process.
b. Which standard(s) provide guidance for the audits of issuers? Which standard(s) provide
guidance for the audits of nonissuers?
c. What role do the AICPA and PCAOB play in the periodic review of the quality of audit
firms’ work?
LO 2-1
2.53 Professional Guidance. A challenge facing auditors is the wide array of professional guidance available to them in the audits of different types of entities.
Required:
For each of the following, identify whether it is most appropriately associated with Statements on
Auditing Standards (SAS), Auditing Standards (AS), both (B), or neither (N).
a. Issued by the American Institute of Certified Public Accountants.
b. Issued by the Public Company Accounting Oversight Board.
c. Provide guidance for services lesser in scope than an audit engagement.
d. Apply to the audit of nonissuers.
e. Require auditors to gather sufficient, appropriate evidence to support their opinion.
f. Apply to the audit of issuers.
g. Identify necessary qualifications of auditors and guide conduct of the audit examination.
h. Become effective upon approval by the Securities and Exchange Commission.
LO 2-2
2.54 Independence. You are meeting with executives of Cooper Cosmetics Corporation to
arrange your firm’s engagement to audit the corporation’s financial statements for the year
ending December 31. One executive suggests the audit work be divided among three staff
members. One person would examine asset accounts, a second would examine liability
accounts, and the third would examine income and expense accounts to minimize audit
time, avoid duplication of staff effort, and curtail interference with entity operations.
Advertising is the corporation’s largest expense, and the advertising manager suggests
that a staff member of your firm whose uncle owns the advertising agency that handles the
corporation’s advertising be assigned to examine the Advertising Expense account because
the staff member has a thorough knowledge of the complex contract between Cooper Cosmetics and the advertising agency.
Required:
a. To what extent should auditors follow the client’s suggestions for the conduct of an
audit? Discuss.
b. List and discuss the reasons that audit work should not be assigned solely according to
asset, liability, and income and expense categories.
74 Part One The Contemporary Auditing Environment
c. Should the staff member of your accounting firm whose uncle owns the advertising
agency be assigned to examine advertising costs? Discuss.
LO 2-2
2.55 Independence. Generally accepted auditing standards require auditors to be independent.
Included within this standard are the concepts of independence in fact and independence in
appearance.
Required:
a. Define independence in fact and independence in appearance.
b. What two general types of relationships would normally compromise auditors’
independence?
c. For each of the following separate situations, discuss whether you believe the auditors’
independence has been compromised.
1. The auditors’ firm provides extensive consulting services to the client; these services
provide revenues to the firm that exceed revenues received from the audit engagement.
2. The spouse of the partner in charge of the audit engagement occupies an executivelevel position within the client.
3. A distant relative of a partner within the firm occupies an entry-level position within
a client of the firm. (The audit is conducted by another office of the firm with which
the partner has infrequent contact.)
4. A staff member within the firm owns shares of stock of one of that firm’s clients. (She
is not a member of the engagement team serving that client.)
LO 2-2
2.56 Professional Skepticism. An important principle for auditors is the need to maintain an
appropriate level of professional skepticism.
Required:
a. Define professional skepticism.
b. During which stages of the audit are auditors required to exhibit professional skepticism?
c. How does each of the following independent issues potentially relate to the principle of
professional skepticism?
1. The auditor’s firm has served the client for a long period of time, and strong friendships have developed between the firm personnel and client’s officers.
2. Auditors are anxious to complete the audit shortly because of other workload demands
and deadlines related to other engagements.
3. The client has mentioned on a number of occasions its desire to reduce (or limit) the
audit fee.
LO 2-2
2.57 Responsibilities Principle. Martin is considering submitting a proposal to conduct the audit
examination of Phillip Inc., a manufacturer and distributor of automotive parts to large automobile manufacturers. The following are some notes related to Martin’s initial consideration of this potential engagement:
a. Martin learned of this client opportunity through one of its staff accountants, who is a
cousin of Phillip’s chief financial officer.
b. Phillip is a particularly attractive engagement for Martin because it would allow the
firm to enter into the manufacturing market (most of Martin’s clients are in the services
industry and are much smaller than Phillip).
c. Martin inquired with Phillip as to the reason for a change in auditors and was assured
that the former auditors decided not to continue auditing Phillip Inc. because they no
longer possessed the necessary expertise to audit clients in the automotive parts industry (this explanation was confirmed by the former auditors).
d. Martin is concerned about the numerous locations of Phillip’s warehouses and the ability to conduct an appropriate observation of Phillip’s year-end inventory balances.
e. When asked about inventory observation, Phillip indicated that its previous auditors
observed physical inventory at different warehouses on different days and obtained a
written statement from Phillip that transfers between locations did not occur.
f. If Martin obtains the engagement, it will take appropriate actions to ensure that firm
personnel are independent in fact and in appearance with respect to Phillip.
Chapter 2 Professional Standards 75
Required:
For each of the above, identify the component of the responsibilities principle (competence
and capabilities, ethical requirements, or professional skepticism and professional judgment) most closely related to that factor.
LO 2-3
2.58 Performance Principle: Planning. Your public accounting practice is located in a city of
15,000 people. The majority of your work, conducted by you and two assistants, consists
of compiling clients’ monthly statements and preparing income tax returns for individuals
from cash data and partnership returns from books and records. You have a small number of
audit clients; given the current size of your practice, you generally consider it a challenge to
accept new audit clients.
One of your corporate clients is a retail hardware store. Your work for this client has been
limited to preparing the corporate income tax return from a trial balance submitted by the
bookkeeper.
On December 26, you receive from the president of the corporation a letter containing
the following request:
We have made arrangements with First National Bank to borrow $500,000 to finance the
purchase of a complete line of appliances. The bank has asked us to furnish our auditors’ certified statement as of December 31, which is the closing date of our accounting year. The trial
balance of the general ledger should be ready by January 10, which should allow ample time to
prepare your report for submission to the bank by January 20. In view of the importance of this
certified report to our financing program, we trust you will arrange to comply with the preceding schedule.
Required:
From a theoretical viewpoint, discuss the difficulties that are caused by such a short notice audit
request.
(AICPA adapted)
LO 2-3
2.59 Performance Principle: Evidence. Generally accepted auditing standards (the performance principle) require auditors to gather sufficient appropriate evidence on which to base
an opinion.
Required:
a. Briefly define the characteristics “sufficient” and “appropriate” as they relate to audit
evidence.
b. What are relevance and reliability (as they relate to audit evidence)? How do these concepts relate to the auditors’ requirement to gather sufficient appropriate evidence?
c. How does the source of evidence affect its reliability?
d. How does the effectiveness of the entity’s internal control affect the sufficiency and
appropriateness of evidence gathered by auditors?
LO 2-3
2.60 Performance Principle. You have accepted the engagement of auditing the financial statements of the C. Reis Company, a small manufacturing firm that has been your client for
several years. Because you were busy writing the report for another engagement, you sent
a staff accountant to begin the audit with the suggestion that she start with accounts receivable. Using the prior year’s audit documentation as a guide, she prepared a trial balance
of the accounts, aged them, prepared and mailed positive confirmation requests, examined
underlying support for charges and credits, and performed other work she considered necessary to obtain evidence about the validity and collectability of the receivables. At the conclusion of her work, you reviewed the audit documentation she prepared and found she had
carefully followed the prior year’s audit documentation.
Required:
The opinion rendered by auditors states that the audit was made in accordance with generally accepted auditing standards. Identify the important components of the performance
principle and relate them to the audit of C. Reis Company by indicating how they were fulfilled or, if appropriate, how they were not fulfilled.
(AICPA adapted)
76 Part One The Contemporary Auditing Environment
LO 2-3
2.61 Performance Principle. Identify how each of the following statements relates to the performance principle by considering which element(s) of the principle are related to that statement. (A statement may be related to more than one element.) Use the following elements in
providing your response: reasonable assurance; planning and supervision; materiality; risk
assessment; and audit evidence:
∙ Evaluating the effectiveness of the client’s internal control in preventing or detecting
misstatements.
∙ Obtaining an understanding of the client’s business and industry.
∙ Acknowledging that the risk of failing to detect a material misstatement cannot be
reduced to zero.
∙ Obtaining confirmations from the client’s customers as to the ending balances in accounts
receivable.
∙ Preparing a written audit plan.
∙ Designing audit procedures to identify misstatements that would have a significant effect
on financial statement users’ decisions.
∙ Considering the likelihood that the account balance contains a material misstatement.
∙ Limiting overall risks to an acceptably low level.
LO 2-2, 2-3
2.62 Responsibilities and Performance Principles. Respond to each of the following comments that you heard related to the audit of Swan Company, an issuer.
a. “We don’t need to consider the risk of material misstatement in our work because we
really can’t do anything to reduce that risk.”
b. “Because the client has not implemented effective internal controls, we need to gather
more reliable evidence. This means we need to test a greater number of transactions and
obtain more reliable forms of evidence.”
c. “We will really need to spend a lot of time and effort on this audit. Because this client has
just filed for a bond offering, we can’t allow for any misstatements in the financial statements. We need to guarantee the accuracy of the client’s financial statements.”
d. “Because this company has $140 million in revenues, we really shouldn’t be concerned
about smaller accounts because they are not likely to have a major impact on the financial
statements.”
e. “I know it will be more time consuming and expensive, but we are required to physically inspect the stock certificates held by the client rather than obtain confirmation from
the custodian. After all, our own direct observation is more reliable than receiving a
confirmation.”
LO 2-4
2.63 Reporting Principle. The reporting principle requires auditors to express their opinion
through the issuance of a written report.
Required:
a. What is the purpose of the auditors’ opinion and report?
b. What are the major sections in the auditors’ report on the examination of an issuer? What
are the major contents of each of these sections?
c. What are the four types of opinions that auditors can issue?
d. How does the concept of materiality influence the auditors’ report?
LO 2-2, 2-3, 2-4
2.64 Fundamental Principles. For each of the following related to audit engagements, identify
whether the action is most closely related to the responsibilities, performance, or reporting
principle.
a. Evaluating the audit firm personnel’s independence with respect to a prospective client.
b. Gathering sufficient, appropriate evidence.
c. Exercising an appropriate level of professional skepticism.
d. Issuing a qualified opinion on the financial statements because of a material, yet not pervasive, departure from GAAP.
e. Establishing materiality levels for use in determining the amount of evidence to be
gathered.
Chapter 2 Professional Standards 77
f. Considering the susceptibility of the account balance to misstatement to assess the risk of
material misstatement.
g. Possessing the appropriate competence and capabilities to perform the audit.
h. Considering whether a scope limitation precludes sufficient evidence to allow an opinion
to be expressed on the entity’s financial statements.
i. Planning the audit to provide reasonable assurance that the financial statements are free
of material misstatement.
j. Evaluating the potential relationships between the auditor and family who are employed
by the entity.
LO 2-2, 2-3, 2-4
2.65 Comprehensive Principles Case Study. Ray, the owner of a small entity, asked Holmes,
CPA, to conduct an audit of the entity’s records. Ray told Holmes that the audit was to be
completed in time to submit audited financial statements to a bank as part of a loan application. Holmes immediately accepted the engagement and agreed to provide an auditors’
report within three weeks. Ray agreed to pay Holmes a fixed fee plus a bonus if the loan was
granted.
Holmes hired two accounting students to conduct the audit and spent several hours telling them exactly what to do. Holmes told the students not to spend time reviewing the controls but instead to concentrate on proving the mathematical accuracy of the ledger accounts
and on summarizing the data in the accounting records that support Ray’s financial statements. The students followed Holmes’s instructions and, after two weeks, gave Holmes the
financial statements, which did not include footnotes. Holmes studied the statements and
prepared an unmodified auditors’ report. The report, however, did not refer to generally
accepted accounting principles or to the fact that Ray had changed to the accounting standard for capitalizing interest.
Required:
Briefly describe each of the principles and indicate how the action(s) of Holmes resulted in
a failure to comply with these principles.
(AICPA adapted)
LO 2-2, 2-3, 2-4
2.66 Fundamental Principles (Comprehensive). In each of the following, identify which of the
elements of the fundamental principles (responsibilities, performance, or reporting) is most
applicable. In addition, discuss what action(s) (if any) you believe auditors should take with
respect to these issues.
a. An entity has contacted you about performing its audit engagement. You have not previously served a client in the entity’s industry, which has many industry-specific accounting issues that are both technical and complex.
b. An entity has entered into a number of lease agreements. Based on the requirements of
GAAP, you believe that these obligations have not been properly classified in the financial statements; however, the entity has provided full and complete disclosure of this
treatment in the footnotes to the financial statements.
c. Because of a disagreement with its current auditors, an entity has contacted you about
conducting its current-year audit. However, because the previous auditors have just
recently resigned from the engagement, you have some questions as to whether an audit
can be completed in time to meet the entity’s deadlines for providing audited financial
statements to a lender.
d. Based on the effectiveness of the entity’s internal control, you have assessed control
risk at low levels and decided that a smaller number of customer accounts need to be
confirmed.
e. An entity has contacted you about performing its audit engagement. This entity became
aware of your firm because the husband of one of your partners is currently serving as the
entity’s chief financial officer.
f. One of your clients is currently a potential defendant in several cases because of the damage caused by one of its products. Because this entity does not believe that it is likely to
receive an unfavorable outcome from this litigation, it did not disclose the potential litigation in the footnotes accompanying their financial statements.
78 Part One The Contemporary Auditing Environment
g. You are performing tests of the client’s controls over the processing of revenue transactions to determine whether these controls are operating effectively and can be relied upon
to prevent or detect misstatements.
h. One of your supervisors has requested a number of clarifications based on her review of
your work on an audit engagement. A subsequent meeting with her has resolved these
clarifications, and you both have concluded that your work supports the opinion on the
client’s financial statements.
LO 2-2, 2-3, 2-4
2.67 Fundamental Principles (Comprehensive). Identify which of the major fundamental principles (responsibilities, performance, or reporting) is most closely related to each of the
following:
a. The need for auditors to consider their financial relationships with prospective clients.
b. An auditor has raised some questions with respect to management’s response to various
inquiries concerning pending litigation facing the client.
c. The auditors’ consideration of the effectiveness of the entity’s internal control on the
nature, timing, and extent of substantive procedures.
d. The auditors’ evaluation of the magnitude of a misstatement that would impact perceptions of the entity’s profitability.
e. The auditors’ issuance of a disclaimer of opinion because of a significant scope limitation.
f. Relevant education and experience requirements for CPA licensure.
g. The inability of an audit examination to provide absolute assurance with respect to
detecting all material misstatements.
h. The requirement that auditors possess the skills and knowledge of others in their
profession.
i. The preparation of a written audit plan that guides the conduct of the audit engagement.
j. The auditors’ issuance of a qualified opinion because of a departure from GAAP.
LO 2-2, 2-3, 2-4
2.68 Fundamental Principles (Comprehensive). Comment on each of the following statements
you heard in a conversation between two newly hired staff auditors.
a. “Of course, I’m qualified to be assigned to this engagement. I have an accounting degree
from a top university and was an honors graduate. I know some of the accounting rules
have changed since I graduated, but I’ll be able to figure that out as we go through the
audit.”
b. “It doesn’t really matter what others think. . . . I’m completely independent of Acme
Industries and should be a member of the audit team. While I own some stock, it’s a small
amount and I’m holding it for the long term, anyway.”
c. “You really have to question everything the client tells you. That’s what professional
skepticism is all about. It’s a shame you can’t believe a word they say.”
d. “The evidence is lower in quality, but we typically use internal evidence when we audit
property, plant, and equipment. It just takes too much time and costs too much to get
more reliable evidence.”
e. “On that last job, we really planned the audit well. We were able to finish everything by
November 1 and didn’t need to do any work after year-end.”
f. “We’re not too worried about internal control. We always do the same substantive procedures anyway, so why take the time to look at the client’s controls?”
g. “Because the client isn’t accounting for its leases properly, we need to issue either a
qualified opinion or a disclaimer of opinion. Just how large a dollar impact does this have
on the financial statements?”
h. “When we evaluate items for materiality, the only thing we need to worry about is the
absolute dollar amount. There really isn’t anything else we need to consider.”
LO 2-5
2.69 System of Quality Control. Each of the following quality control policies and procedures
is typical of ones that can be found in public accounting firms’ systems of quality control.
Identify each of them with one of the six elements of quality control.
a. Assign management responsibilities in such a manner that commercial considerations do
not override the quality of work performed.
Chapter 2 Professional Standards 79
b. Establish policies and procedures for resolving differences of opinion among firm personnel that arise during professional engagements.
c. Develop policies and procedures to ensure that professionals are provided appropriate
professional development opportunities.
d. Review engagement documentation, reports, and the client’s financial statements.
e. Develop effective performance evaluation, compensation, and advancement procedures.
f. Identify circumstances and relationships that create threats to independence and take
appropriate action to eliminate those threats or reduce them to an acceptable level.
g. Identify whether the firm possesses the competency, capability, and resources to appropriately serve a specific client.
h. Devote sufficient resources to develop, communicate, and support the firm’s quality control procedures.
i. Retain engagement documentation for a sufficient period of time to satisfy the needs of
the firm, professional standards, laws, and regulations.
LO 2-5
2.70 Evaluating Quality Control. Firms auditing issuers are required to have periodic inspections conducted by the PCAOB.
Required:
a. What are the major characteristics of PCAOB inspections?
b. What types of firms typically have PCAOB inspections? How frequently are these evaluations conducted?
LO 2-5
2.71 Internet Exercise: Public Company Accounting Oversight Board Inspection Reports.
Refer to the website of the Public Company Accounting Oversight Board (PCAOB) (www.
pcaobus.org), review the information under “Inspections,” and select the most current
inspection report for one of the Big Four firms (Deloitte, EY, KPMG, and PwC).
Required:
a. What information is contained in the “public” version of the PCAOB’s inspection
reports? Is there any additional information that you would like to see?
b. For the firm you selected, how many practice offices had audits inspected by the PCAOB?
c. For the firm you selected, for how many audits (issuers) did the PCAOB find deficiencies?
d. Identify five deficiencies that were cited in the PCAOB’s inspection report. For each
deficiency, to which of the elements of the principles does it most closely relate? (If the
firm had fewer than five deficiencies, evaluate all of the deficiencies identified in the
report.)
e. Briefly summarize the firm’s response (if any) to the PCAOB’s inspection report.
Appendix 2A
Referencing Professional Standards
Shown here is a comparison of the categories of standards issued by the PCAOB and
Auditing Standards Board (ASB). (Section numbers are shown in parentheses for each
category.) These general categories parallel the majors stages of an audit engagement
and serve as an appropriate starting point when researching the professional auditing
literature with respect to an issue that may be encountered during the audit examination.
ASB
PCAOB
General Principles and Responsibilities (200–299)
General Auditing Standards (1001–1305)
Risk Assessment and Response to Assessed Risks
(300–499)
Audit Procedures (2101–2905)
Audit Evidence (500–599)
Audit Procedures (2101–2905)
Using the Work of Others (600–699)
Incorporated in General Auditing Standards and Audit
Procedures
Audit Conclusions and Reporting (700–799)
Auditor Reporting (3101–3320)
Special Considerations (800–899)
Other Matters Associated with Audits (6101–6115)
Special Considerations in the United States (900–999) Other Matters Associated with Audits (6101–6115)
Matters Related to Filings Under Federal Securities
Laws (4101–4105)
EXAMPLE: AUDITING REPORTING
Assume that you were seeking guidance on the contents of the portion of the auditors’
report related to the opinion on the financial statements. For issuers, “Auditor Reporting”
is covered under AS sections 3101–3320. Reviewing AS 3101 (The Auditor’s Report on
an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion),
paragraph 8 provides a detailed summary of both the contents of the section of the report
related to the financial statement opinion and the actual wording of the section. This section is shown in Appendix B of AS 3101). In documenting your reference to the professional standards, you would cite AS 3101.08 or AS 3101 (Appendix B) as the appropriate
source of professional guidance.
For nonissuers, “Audit Conclusions and Reporting” are covered under AU-C sections
700–799. AU-C section 700 (Forming an Opinion and Reporting on Financial Statements) specifically relates to the content of auditors’ reports. When you access AU-C
section 700, you will see the source identified as SAS Nos. 134, 137, 138, and 141. If
future pronouncements issued by the ASB affect audit reporting, AU-C section 700 will
be updated to include those pronouncements. In this way, auditors can find all of the
appropriate professional guidance for an area under one AU-C section rather than needing to reference several individual pronouncements.
Each AU-C section includes a number of paragraphs that address various matters
related to that topic. AU-C section 700 has 61 paragraphs outlining the professional
guidance for reporting and 81 other paragraphs (referred to as Application and Other
Explanatory Material) to provide more specific guidance for applications of the standard.
Paragraphs 24 through 27 provide the content related to the opinion on the financial
statements; paragraph A81 (the “A” refers to application material) provides the actual
wording of the report. In documenting your reference to the professional standards, you
could refer to either SAS No. 134 (the primary guidance for audit report content), AU-C
700.24-700.27, or AU-C 700.A81.
Chapter 2 Professional Standards 81
EXAMPLE: AUDIT CONFIRMATIONS
You are seeking guidance for the use of confirmations in the audit of an issuer; specifically, you want to know what alternative procedures should be performed for nonresponses to confirmations. Reviewing the categories of standards, “Audit Procedures”
(AS sections 2101–2905) appears to be most applicable; a review of standards within
this category allows you to identify AS 2310, The Confirmation Process. Reviewing
this standard, paragraphs 31 and 32 describe the auditors’ responsibility for performing
alternative procedures if replies to confirmations are not received. In documenting your
reference to the professional standards, you would cite AS 2310.31-32.
For the audits of nonissuers, audit evidence is covered under AU-C sections 500–599.
AU-C section 505 (External Confirmations) specifically relates to the use of external
confirmations. When you access section 505, you will see the source identified as SAS
No. 122. Paragraphs A24–A26 provide guidance for auditors’ responsibility for nonresponses to confirmations. In documenting your response, you could cite either SAS No.
122 or AU-C 505.A24–A26.
CHAPTER 3
Engagement Planning
and Audit Evidence
He who fails to plan is planning to fail.
Sir Winston Churchill
Professional Standards References
Topic
AU-C/ISA Section
AS Section
Overall Objectives of the Independent Auditor
200
1001, 1005, 1010, 1015
Terms of Engagement
210
1301
Communication between Predecessor and Successor Auditors
210
2610
220, 300
1201
Audit Documentation
230
1215
Audit Planning
300
2101
Materiality
320
2105
Supervision of the Audit Engagement
Audit Evidence
500
1105
Substantive Analytical Procedures
520
2305
Consideration of the Internal Audit Function in a Financial Statement
Audit
610
2605
Using the Work of an Auditor-Engaged Specialist
620
1210
LEARNING OBJECTIVES
During the planning phase of an engagement,
the professional standards emphasize that risk
assessment underlies the entire audit process.
Motivated by the importance of risk assessment,
standards setters at both the PCAOB and ASB
have each adopted a suite of standards related
to the auditor’s assessment of, and response to,
risk in a financial statement audit. Collectively,
the standards also include guidance pertaining to
audit planning, supervision, materiality, and other
82
related topics. In this chapter, we cover engagement
planning, beginning with pre-engagement activities,
supervision, and materiality. Next, we cover the
types of audit procedures that can be completed
and audit documentation. In Chapter 4, we provide
a comprehensive explanation of an auditor’s
assessment of risk.
Your objectives are to be able to
LO 3-1
List and describe the required preengagement activities that auditors undertake before beginning an audit engagement.
Chapter 3 Engagement Planning and Audit Evidence 83
LO 3-2
Understand the importance of planning the
audit engagement so that it is conducted in
accordance with professional standards.
LO 3-3
Define materiality and explain its importance
in the audit planning process.
LO 3-4
List and describe the eight general types of
audit procedures for gathering evidence.
LO 3-5
Define what is meant by the proper form and
content of audit documentation.
INTRODUCTION
Deciding whether to accept a new client is arguably one of the most important decisions
an audit firm can make and it is not one that is taken lightly. Audit firms must consider
several issues when making client acceptance decisions, including whether they have
the industry knowledge needed to audit the client, if there are independence issues,
whether the new client is too risky, and also if they have the capacity and man-power
to perform the audit in question. Capacity and man-power would have definitely been a
big consideration for both the General Motors (GM) and the General Electric (GE)
recent auditor changes.
In 2017, GM announced EY would be their new auditor, beginning with the 2018
audit.1 Deloitte had been GM’s auditor for the 100 years prior to the change. In June
2020, GE announced that after the 2020 audit, they would switch auditors from KPMG
to Deloitte. KPMG had been GE’s auditor since 1909.2 To put these changes into perspective, in 2020 GM paid $21 million dollars for their external audit, and an additional
$4 million in audit-related fees.3 In 2020, GE paid $61.6 million dollars for their external
audit, and an additional $14.6 million in audit-related fees.4 Deciding whether to accept
GM or GE as a new audit client is definitely not a decision for an audit firm to take
lightly! Can you imagine the amount of resources (personnel, time, knowledge, etc.)
needed for a firm to perform a $21 million dollar audit, let alone a $61 million audit? It
would be substantial, to say the least! And, as this chapter discusses further, sheer capacity to perform the audit would only be a small part of the considerations a firm would
need to make prior to accepting a new audit client.
This chapter is devoted to the audit planning process, beginning first with the preengagement activities of client acceptance and continuance. Audit Standards require
auditors to perform due diligence prior to accepting or continuing with a client, in part to
help minimize the risk of an audit failure.
Once a client acceptance or a continuance decision is made, the auditor must develop a
detailed audit plan documenting the audit testing procedures to be performed. The testing
procedures, outlined later in this chapter, are designed in response to the risk of material misstatement for each of the relevant financial statement assertions in significant
accounts. In this chapter we discuss how materiality is calculated, further discussion
of the risk of material misstatement is included in Chapter 4. The audit plan and any
work done related to the plan must be documented, as further discussed at the end of the
chapter.
1
“General Motors Appoints Ernst & Young As Auditor for Fiscal 2018,” GM Authority, September 26, 2017 (gmauthority.com).
“GE Names New Auditor for First Time in Over a Century,” Forbes, June 22, 2020 (forbes.com).
3
General Motors Company Proxy Statement and Notice of 2021 Annual Meeting of Shareholders, June 14, 2021 (investor.gm.com).
4
GE 2021 Notice of Annual Meeting and Proxy Statement, https://www.ge.com/sites/default/files/ge_proxy2021.pdf
2
84 Part Two The Financial Statement Audit
PRE-ENGAGEMENT ACTIVITIES
LO 3-1
List and describe the
required pre-engagement
activities that auditors
undertake before beginning
an audit engagement.
Public accounting firms try to reduce their own business risks by carefully managing their
audit engagements. To do so, public accounting firms undertake several activities before
beginning any audit engagement. In general, these activities can be called risk management
activities. Risk in an audit engagement generally refers to the probability that the firm
could issue a clean, unmodified audit opinion when in fact a material misstatement does
exist in the financial statements and the opinion should have been modified. Because of
the importance of these activities, professional standards state that the auditor should
engage in the following activities: (1) perform procedures regarding the acceptance or
continuance of the audit client relationship, (2) determine compliance with independence
and ethics requirements, and (3) reach a contractual understanding with the client for
the terms and conditions of the audit engagement. Exhibit 3.1 outlines the major stages
of the audit. These pre-engagement activities occur in the Obtain (or Retain) Engagement
phase highlighted. Each of these three activities is further discussed below.
Client Acceptance or Continuance
An important element of a public accounting firm’s quality control policies and procedures is a system for deciding whether to accept a new client and, on a continuing basis,
whether to continue providing services to existing clients. Public accounting firms are
not obligated to accept undesirable clients, nor are they obligated to continue to serve
clients when relationships deteriorate or when the management comes under a cloud of
suspicion. The process activities are clearly focused on understanding and managing risk
to the audit firm. In fact, to mitigate their business risk, public accounting firms devote
substantial time to make sure that the audit clients that they serve do not become the
focus of the next big accounting scandal.
Auditing a client that has integrity generally results in a problem-free engagement.
Conversely, despite conducting an audit in accordance with generally accepted auditing
standards, it is difficult for a public accounting firm to avoid appearing “guilty by association” with a client that lacks integrity. When a firm recognizes such a lack in a client,
they may choose to withdraw from an engagement.
In addition, companies are free to, and often do, change auditors periodically, sometimes as a result of corporate policy to rotate auditors, sometimes because of fee considerations, and sometimes because of arguments about the scope of the audit or the
acceptability of accounting principles. It is possible that a change in auditors occurred
for the purpose of procuring new auditors who will agree with management’s treatment
of questionable accounting practices. Not surprisingly, these types of disagreements
between auditors and management would be of interest to investors and future auditors.
The public accounting firm that has been terminated or has voluntarily withdrawn from
the engagement (whether the audit has been completed or not) is known as the predecessor auditor. To reduce the risk of accepting a problem client, auditing standards require a
prospective auditor to initiate contact with and attempt to obtain basic information directly
from the predecessor regarding issues that reflect directly on the integrity of management.
The audit client must grant its approval before the communication can occur between
the prospective auditor and the predecessor auditor. Once approval is obtained, the prospective auditor should ask the predecessor auditor for information on management’s
EXHIBIT 3.1
Stages of an Audit:
Obtain (or Retain)
Engagement
Obtain
(or Retain)
Engagement
Engagement
Planning
Risk
Assessment
Substantive
Procedures
Reporting
Chapter 3 Engagement Planning and Audit Evidence 85
integrity; on disagreements with management about accounting principles, audit procedures,
or similar matters; and the reasons for a change of auditors.
The following Auditing Insight provides some insight into how often auditor changes
among larger companies actually occur.
AUDITING INSIGHT
How often do companies switch auditors?
Not as often as you would think, and especially not for big clients. Overall, the average audit tenure for public companies is 15 years, however,
there is a definite positive relationship between the audit tenure and
the size of the client. The average auditor tenure for public companies
in the first quartile of revenues (average revenue of $17 million) is 8
years, as opposed to 25.3 years for companies in the fourth quartile of
revenues (average revenue of $19,779 million). When looking specifically at the S&P 500, whose average revenues are $26,060 million, the
average auditor tenure is 32.7 years. While that might seem like a long
time, that is nothing compared to companies like these:
•
•
•
Sherman Williams, who have been audited by EY since 1908
Proctor & Gamble, who have been audited by Deloitte since 1890
Goodyear Tire & Rubber, who have been audited by PwC since 1898!
Source: “Audit Tenure by Revenue,” Audit Analytics, August 20. 2020 (blog.
auditanalytics.com).
When a public company changes auditors, the company must file a Form 8-K report
with the SEC and disclose that the board of directors approved the change. Form 8-K, the
“special events report,” is required whenever certain significant events such as changes
in control and legal proceedings occur. Public companies also must report any disagreements with the former auditors concerning matters of accounting principles, financial
statement disclosures, or auditing procedures. At the same time, the former auditor must
submit a letter stating whether the auditors agree with the explanation and, if not, provide particulars. These documents are available to the public through the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system, available on the SEC’s
website (www.sec.gov). The purpose of these public disclosures is to make information
available about client–auditor conflicts that have occurred.
If you read closely, professional standards require only that the auditors attempt to
communicate with the predecessor auditors. The AICPA Code of Professional Conduct
does not permit the predecessor auditor to provide information obtained during any audit
engagements without the explicit consent of the client. Confidentiality remains even when
the auditor–client relationship ends. Therefore, auditing standards require the prospective
auditor to ask that the consent be given to permit the predecessor auditor to respond fully
to their inquiries. If this consent is refused, the refusal should be regarded as a red flag,
and the prospective auditor should be cautious about accepting the engagement. Exhibit 3.2
summarizes the responsibilities of the prospective auditor, client, and the predecessor
auditor in the communication process.
EXHIBIT 3.2 Party Responsibilities for Required Communication with Predecessor Auditor
Prospective
Auditor
• Request client to authorize predecessor auditor to fully respond to inquiries
Client
• Authorize predecessor auditor to respond fully to prospective auditor inquiries
Predecessor
Auditor
• Upon permission from client, respond fully (or limited depending on client authorization) to prospective auditor
If management refuses to authorize predecessor to respond or limits response, auditor should inquire as to the
reason and consider the implications for refusal in deciding whether to accept the engagement.
• Initiate contact with predecessor auditor
• Inquire with predecessor auditor about
■ management integrity
■ disagreements with management
■ reason for auditor change
■
inquiries
Source: AU-C Section 210 Terms of the Engagement, AICPA, 2021.
86 Part Two The Financial Statement Audit
In addition to communication with the predecessor auditor, client acceptance and
continuance policies and procedures generally include
∙ Obtaining and reviewing financial information about the prospective client: annual
reports, interim statements, registration statements, Form 10-Ks, and reports to regulatory agencies.
∙ Acquiring detailed criminal background checks of all senior managers.
∙ Requesting the prospective client’s bankers, legal counsel, underwriters, analysts, or
other persons who do business with the entity to provide information about it and its
management.
∙ Considering whether the engagement would require special attention or involve
unusual risks to the public accounting firm.
∙ Evaluating the public accounting firm’s independence with regard to the prospective
client.
∙ Considering the need for individuals possessing special skills or knowledge to complete the audit (e.g., information technology auditor, valuation specialist, industry
specialist).
The firms also search for news articles, lawsuits, and bankruptcy court outcomes naming
the entity, the chairman of the board, the CEO, the CFO, and other high-ranking officers.
In fact, the firms often engage private investigators to conduct additional searches for
information when the prospective clients are financial institutions, companies accused
of fraud, companies under SEC or other regulatory investigation, companies that have
changed auditors frequently, and companies showing recent losses. These characteristics
are red flags of potential problems, and public accounting firms want to know as much as
they can about the companies and their officers before entering into a relationship with
them. Without a doubt, management integrity (or lack thereof) is the primary reason for
accepting (or not accepting) an audit engagement.
Client continuance decisions are similar to acceptance decisions except that the firm
will have more firsthand experience with the entity. These types of client retention
reviews are typically done annually and also with the occurrence of major events such as
changes in management, directors, ownership, legal counsel, financial condition, litigation status, nature of the client’s business, or scope of the audit engagement. In general,
conditions that would have caused a public accounting firm to reject a prospective client
can develop and lead to a decision to discontinue the engagement. For example, a client
company could expand and diversify on an international scale so that a small public
accounting firm might not have the resources to continue the audit. In addition, it would
not be unusual to see newspaper stories about public accounting firms dropping clients
after directors or officers admit to falsification of financial statements, theft and misuse
of corporate assets, or other improprieties. The following Auditing Insight provides an
example of KPMG dropping a client for exactly that reason.
AUDITING INSIGHT
KPMG Severs Relationship with Liberty Tax
In December of 2017, KPMG announced their decision to resign
as Liberty Tax’s auditor, three months after the firing of CEO John
Hewitt. Hewitt was fired for having romantic relationships with female
employees and giving them preferential treatment, yet remained the
chairman of the board due to his status as controlling shareholder of
the company. When announcing the decision, KPMG cited concerns
around internal controls over financial reporting, more specifically
related to management integrity and the tone at the top. Ultimately
Hewitt did agree to resign as chairman of the board and sell his ownership shares in the company in July 2018, following delayed earnings reports and violation warnings of listing requirements from the
NASDAQ exchange.
Sources: M. Cohn, “KPMG Resigns from Auditing Liberty Tax,” Accounting
Today, December 11, 2017, A. Melin, “Liberty Tax Soars After Founder
Involved in Sex Scandal Agrees to Leave Firm,” Accounting Today, July 24,
2018.
Chapter 3 Engagement Planning and Audit Evidence 87
Compliance with Independence and Ethical Requirements
If you recall from Chapter 2, the responsibilities principle requires auditors to comply
with appropriate ethical requirements for each audit engagement; two important requirements relate to independence and due care. Auditors must maintain independence in
mental attitude; that is, auditors are expected to be unbiased and impartial with respect
to the financial statements and other information they audit. This “state of mind” is often
referred to as the auditor possessing independence in fact. This independence allows auditors to form an opinion on the entity’s financial statements without being affected by
influences that might compromise that opinion. Not only is it important for auditors to be
unbiased, but they must also appear to be unbiased. Independence in appearance relates
to others’ (particularly financial statement users’) perceptions of auditors’ independence.
In fact, if the auditor is not independent, the financial statements are considered unaudited for all practical purposes. A lack of independence can result in disciplinary action
by regulators and/or professional organizations and litigation by those who relied on the
financial statements (e.g., clients and investors). The profession as a whole depends on
the value of independence in that the auditor’s opinion on the financial statements loses
its value if the auditor is not considered to be independent from the management of the
firm. As a result of the importance placed on independence, public accounting firms must
have a process in place to ensure that they are independent of the company being audited.
Because public accounting firms are subject to strict independence rules, they actively
monitor the key relationships and the investment portfolios of their individual partners.
These processes are in place to help ensure that the firm is independent of any relationship that might impact the firm’s professionals from maintaining objectivity when making professional judgments on each audit. In fact, even after an audit client has passed the
client acceptance process, independence rules must continue to be rigorously maintained.
The importance of this process is exemplified by the way that KPMG handled a recent
situation involving a rogue partner, described in the following Auditing Insight.
AUDITING INSIGHT
Compromised Independence?
KPMG LLP was forced to resign from two large audit clients, Herbalife Ltd.
and Skechers USA Inc., because Scott London, the partner assigned
to each client, admitted to providing stock tips about the two audit
clients to a friend in exchange for cash and gifts. The friend is believed
to have made more than $1 million from trading on the insider information. By providing confidential insider information, London directly
violated the AICPA Code of Professional Conduct regarding confidential client information. As a result, the firm immediately fired him and
resigned as the external auditor for the two clients.
The resignation was necessary because London “violated the
firm’s rigorous policies and protections, betrayed the trust of clients
as well as colleagues, and acted with deliberate disregard for KPMG’s
long-standing culture of professionalism and integrity.” There was a
fear that the firm’s independence and objectivity toward the clients
would potentially be compromised as a result of this partner’s actions.
In addition to resigning from the two audits, KPMG decided to
withdraw its audit report on the financial statements of Herbalife for
the three previous years and for Skechers for the previous two years.
In doing so, KPMG stated that it did not believe there were any errors
in the financial statements. However, because of London’s actions,
the firm believed doing so was appropriate. London pleaded guilty to
a federal insider-trading charge on July 1, 2013, publicly admitting
that he did reveal confidential information about his clients to a friend.
The friend used the information to make over $1 million. London was
sentenced to serve 14 months in a federal prison in April 2014.
Sources: “Trading Case Embroils KPMG,” The Wall Street Journal, April 10,
2013, p. A1; “FBI Probes Trading as KPMG Quits Herbalife, Skechers Audits.”
Reuters.com, April 9, 2013, “Former KPMG Partner Scott London Pleads
Guilty to Insider Trading.” Los Angeles Times, July 1, 2013; “Former KPMG
Partner Sentenced for Insider.” Los Angeles Times, April 24, 2014; “FBI Probes
Trading as KPMG Quits Herbalife, Skechers Audits,” Reuters, April 9, 2013.
Engagement Letters
Professional standards require auditors to reach a mutual understanding with clients concerning engagement requirements and expectations and to document this understanding, usually
in the form of a written letter. When a new client is accepted or when an audit engagement
continues from year to year, an engagement letter should be prepared. This letter sets forth the
understanding with the client, including in particular (1) the objectives of the engagement,
88 Part Two The Financial Statement Audit
(2) management’s responsibilities, (3) the auditors’ responsibilities, and (4) any limitations
of the engagement. Other matters of understanding, such as the ones shown in Exhibit 3.3,
also may be included in the letter. For example, the additional internal control considerations required by the Public Company Accounting Oversight Board are specifically mentioned in the example engagement letter. In fact, a close review of this exhibit reveals the
importance of an auditor being quite detailed when completing the engagement letter.
In effect, the engagement letter acts as a contract. Thus, it serves as a means for reducing the risk of misunderstandings with the client and as a means of avoiding legal liability
for claims that the auditors did not perform the work promised.
Many public accounting firms also have policies about sending a termination letter
to former clients. Such a letter is a good idea because it provides an opportunity to deal
with the subject of future services, in particular, (1) access to audit documentation by
successor auditors, (2) reissuance of the auditors’ report when required for SEC reporting or comparative financial reporting, and (3) fee arrangements for such future services.
The termination letter also may include a report of the auditors’ understanding of the
EXHIBIT 3.3 Engagement Letter
September 15, 2023
Mr. Matt Lancaster Chair,
Audit Committee
Dunder-Mifflin Inc.
P.O. Box 349 Scranton,
Pennsylvania 18503
Dear Mr. Lancaster:
This letter will confirm our understanding of the arrangement for our audit of the financial statements of Dunder-Mifflin Inc. for the year
ending December 31, 2023.
We will audit the Company’s balance sheet at December 31, 2023, and the related statements of income, comprehensive income,
stockholders’ equity, and cash flows for the year then ended, for the purpose of expressing an opinion on them. We will also audit whether
Dunder-Mifflin Inc. maintained effective internal control over financial reporting as of December 31, 2023, based on criteria established in
Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO criteria).
Dunder-Mifflin Inc.’s management is responsible for these financial statements and for maintaining effective internal control over financial
reporting. Management is also responsible for making financial records and related information available for audit and for identifying and
ensuring that the company complies with the laws and regulations that apply to its activities. Our responsibility is to express an opinion
on these financial statements and an opinion on the effectiveness of the company’s internal control over financial reporting based on our
audits. If, for any reason, we are unable to complete the audit or are unable to form or have not formed an opinion, we may decline to
express an opinion or decline to issue a report as a result of the engagement.
We will conduct our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those
standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of
material misstatement and whether effective internal control over financial reporting was maintained in all material respects. Our audit of
the financial statements includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements,
assessing the accounting principles used and significant estimates made by management, and evaluating the overall financial statement
presentation. Our audit of internal control over financial reporting includes obtaining an understanding of internal control over financial
reporting, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we
considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions.
Our fee for these services will be at our regular hourly rates, plus travel and other out-of-pocket costs. Invoices will be rendered on a
monthly basis and are payable on presentation. If this letter correctly expresses your understanding, please sign the enclosed copy where
indicated and return it to us.
Very truly yours,
By
Date
DUNDER-MIFFLIN Inc.
Chapter 3 Engagement Planning and Audit Evidence 89
circumstances of termination (e.g., disagreements about accounting principles and audit
procedures, fees, or other conflicts). These matters can be of great interest to prospective
auditors who should always remember to ask for a copy of the termination letter.
REVIEW CHECKPOINTS
3.1 What sources of information can auditors use in connection with deciding whether to accept a new
client?
3.2 Why do predecessor auditors need to obtain the client’s consent to give information to prospective
auditors? What information should prospective auditors try to obtain from predecessor auditors?
3.3 What does it mean for an auditor to be independent in fact? What does it mean for an auditor to be
independent in appearance?
3.4 What benefits are obtained by having an engagement letter? What is a termination letter?
AUDIT PLAN
LO 3-2
Understand the importance
of planning the audit
engagement so that it is
conducted in accordance
with professional standards.
An audit plan is a comprehensive list of the specific audit procedures that the audit team
needs to perform to gather sufficient appropriate evidence on which to base their opinion on
the financial statements. The professional standards require that the auditor plan each audit
engagement, including the establishment of an overall strategy for each audit engagement.
Specifically, when planning the engagement, the auditor needs to develop and document a
plan that describes the nature, timing, and extent of further audit procedures to be performed
to assess the risk of material misstatement at the financial statement and the assertion level.
Next, the auditor must carefully plan the nature, timing, and extent of control tests and substantive tests that are designed to mitigate these risks to an acceptable level. This planning
process is required to be led by the assigned engagement partner.
The professional standards are absolutely clear that the nature and extent of work
completed during engagement planning will depend on the company’s size, complexity,
and industry. In addition, the auditor’s prior experience with the company, including any
major changes from prior years, will have an impact on the nature and extent of planning activity. Furthermore, the client’s information technology system used to process
accounting transactions will also have an impact on planning activities. As a result, audit
firms spend a considerable amount of time on risk assessment at both the financial statement level and the management assertion level for the client being audited.
Importantly, this process begins with a detailed understanding of the client’s business,
industry, and strategy to achieve a competitive advantage in its marketplace. During this
process, the auditor should obtain an understanding of important events that have affected
the client, its operations, and its accounting information system. When understanding the
accounting information system, the auditor should pay particular attention to
∙ The complexity of the computer operations used by the entity (e.g., batch processing,
online processing, outside service centers).
∙ The organizational structure of the computerized processing activities.
∙ The availability of data for the auditor.
∙ The need for specialized skills.
Relatedly, the auditor should obtain an overall understanding of the financial statements, and ultimately the management assertions. This understanding provides the base
of knowledge necessary to assess audit risk, providing the underlying basis to construct
the audit plan.
For example, the evaluation of the risk of material misstatement is likely to vary for
different financial statement accounts and may even vary for different classes of significant transactions related to the same financial statement account. Ultimately, the audit
90 Part Two The Financial Statement Audit
plan will need to identify each of the relevant financial statement assertions (i.e., existence, occurrence, completeness, cutoff, rights and obligations, valuation and allocation,
accuracy, classification, and understandability) for each of the significant financial statement accounts and disclosures identified at an audit client.
The risk assessment process provides the basis to determine the nature, timing, and
extent of internal control tests and substantive tests of account balances and disclosures at
an audit client. That is, for each relevant assertion, the auditor must determine the combination of control and substantive tests that will be necessary to gather enough evidence to
persuade the auditor that no material misstatement exists for the relevant assertion being
audited. When the tests have been completed, audit team members will often indicate the
date that the procedure was performed and where the evidence is documented in the audit
plan. Thus, audit plans are used not only for quality control and supervision but also as
documentation to show that the audit engagement was planned and supervised in accordance with professional standards.
Risk assessment is absolutely critical in the audit planning process. Although
Exhibit 3.4 below implies that risk assessment occurs after the engagement planning
phase, in reality, the two phases are both part of the overall process of planning an audit.
Remember that the professional standards require that when planning, the auditor should
establish the overall audit strategy for the company being audited, which includes the risk
assessment procedures that will be performed. Therefore some engagement planning must
occur prior to risk assessment. However, following risk assessment, the auditor must
develop a plan to respond to each of the assessed risks of material misstatement with
specific auditing procedures. Because of the importance of risk assessment to the financial statement audit process, we devote exclusive attention to this subject in Chapter 4.
The remainder of this chapter will focus on all other aspects of engagement planning,
which occur in the audit stage highlighted in Exhibit 3.4. Essentially, there are three goals
of audit planning:
1. To make sure that the firm has the requisite staff to conduct the audit in accordance
with professional standards in a timely and profitable manner.
2. To determine materiality.
3. To outline the specific audit procedures, including tests of control and substantive
tests that need to be executed properly in order to mitigate assessed risks of material
misstatement and be in compliance with professional standards.
EXHIBIT 3.4 Stages of an Audit: Engagement Planning
Obtain
(or Retain)
Engagement
Engagement
Planning
Risk
Assessment
Substantive
Procedures
Reporting
Staffing the Audit Engagement
When a new client is obtained, most public accounting firms assign a full-service team
to the engagement. For a typical audit engagement, this team usually consists of the audit
engagement partner (the person with final responsibility for the audit, usually an industry
specialist), an audit manager, an information technology (IT) auditor, a tax specialist, a
quality assurance partner (the second audit partner who reviews the audit team’s work in
critical audit areas), and audit staff. The assignment of staff depends on the riskiness of the
engagement. For new clients, companies with complex significant transactions, and public
companies, more experienced staff members are typically assigned. The following Auditing Insight underscores the importance of proper engagement staffing on audit quality.
Chapter 3 Engagement Planning and Audit Evidence 91
AUDITING INSIGHT
Plan for Quality
The Center for Audit Quality (CAQ) is a nonprofit organization that is
dedicated to promoting “high quality performance by public company
auditors,” which helps to ensure the highest level of “investor confidence” in the capital markets. In providing the financial support for the
CAQ, the public company auditing firms recognize the importance of
working together to achieve audit quality.
The importance of planning was recently elevated by the CAQ
when it released its own set of Audit Quality Indicators. In fact, one
of the four key themes of audit quality outlined by the CAQ was the
“engagement team knowledge, experience, and workload.” Among
other issues, the report stressed that “The knowledge, experience,
and workload of the audit engagement partner and certain other
members of the engagement team are important elements in the execution of an audit. It is the responsibility of the engagement partner to
determine that, collectively, the engagement team has the appropriate experience and competencies, and that specialists are engaged,
as needed. The level of detail that may be provided on changes in the
composition of the engagement team is dependent on the audit committee’s needs and expectations, size of the engagement team, and
other considerations.”*
Sources: *Center for Audit Quality, “CAQ Approach to Audit Quality Indicators,”
Accessed June 24, 2019, www.thecaq.org.
No matter the type of engagement, planning meetings should include all team members
and focus on the financial statement accounts that represent the highest risk of material
misstatement. These planning meetings help to ensure that the engagement is properly
planned and that the audit team (especially new) members are properly supervised. The
meetings also are intended to be brainstorming sessions to (1) ensure that all audit team
members are informed about potential risks in the engagement and (2) increase team
members’ awareness for potential fraud. This required brainstorming session is discussed
in more detail in Chapter 4.
In the sections below are further discussions of specific engagement staffing issues,
including the role of IT auditors on the engagement team, relying on the work of internal
auditors, and the use of audit specialists.
Use of IT Auditors
When planning the engagement, the audit team members should consider their training and experience relative to the methods of information processing. A review of
the client’s computer hardware could show the extent of complexity involved. Whenever a complex computing environment exists, specialized information technology
skills are needed to evaluate the effect of computerized processing on the audit process. IT auditors are members of the audit team who are specially trained to evaluate
computerized controls and processes. The audit team could need their specialized
skills relating to various methods of data processing and extraction, programming
languages, software packages, or computer-assisted audit techniques. For audits of
large companies in today’s environment, IT auditors will be required and included
on the engagement team. Module H further discusses the role of IT systems in the
financial statement audit.
If the client outsources significant accounting applications (e.g., payroll), the audit
team might need to coordinate audit procedures with service auditors at the processing
center. This topic is covered in more detail in Module A.
Considering the Work of Internal Auditors
External auditors must obtain an understanding of a client’s internal audit department and
its work as part of the understanding of the client’s internal control system. Internal auditors
were discussed briefly in Chapter 1 and will be discussed in more detail in Module D,
but here we talk about the working relationship between internal and external auditors.
Audit efficiency can be realized when the two groups work together. However, prior to
92 Part Two The Financial Statement Audit
relying on the work of internal auditors, external auditors should consider internal auditors’ objectivity and competence:
∙ Objectivity. Internal auditors can never be considered independent in the same sense
that external auditors are because internal auditors are either directly employed or paid
as contractors by the client; however, they can (and should) be objective.5 Internal
auditors’ objectivity is investigated by learning about their organizational status and
lines of communication in the company. Objectivity is enhanced when the internal
auditors report directly to the audit committee of the board of directors. Objectivity is
questioned when
∙ Internal auditors report to divisional management, line managers, or other persons
with a stake in the outcome of their findings.
∙ Managers have some power over the pay or job tenure of the internal auditors.
∙ Individual internal auditors have relatives in audit-sensitive areas or are scheduled
to be promoted to positions in the activities under internal audit review.
∙ Competence. Internal auditors’ competence is investigated by obtaining evidence
about their educational and experience qualifications, their certifications (CPA, CIA,
CISA, etc.) and continuing education status, the department’s policies and procedures
for work quality and for making personnel assignments, the supervision and review
activities, and the quality of reports and audit documentation. This evidence enables
the external auditors to evaluate internal auditors’ performance.
Favorable conclusions about competence and objectivity enable external auditors to
rely on the work completed by the internal audit department related to gaining an understanding of and testing of a company’s internal control system. Internal auditors also
can assist (under the supervision of the independent audit team) with performing some
substantive testing of balances on the audit, reducing the external auditors’ work, and
avoiding duplication of effort. As an example, internal auditors can conduct observations
and make test counts during physical inventory counts thereby allowing auditors to be
able to reduce the nature, timing, or extent of their own procedures for these accounts.
This utilization of internal auditors’ work, however, cannot be a complete substitute for
the external auditors’ own procedures, as it is the work of the external auditors that must
always provide the basis for the auditors’ opinion.
The external auditors can never delegate responsibility for audit decisions to the internal
auditors. Rather, they must supervise, review, evaluate, and perform independent testing
of all the work performed by internal auditors. Internal auditors should never be delegated
tasks that require the external auditors’ professional judgment. Following is an illustration
of how an accounting firm could address the use of internal auditors on its engagements.
Note that internal auditors’ work can be utilized more extensively without reperforming a
percentage of the work when the account balance involves low professional judgment and
risk, and internal auditors are considered to be more competent and objective.
Reliance on Internal Auditors
Objectivity and Competence
5
Low
High
High judgment/risk
Auditor should not rely on internal
auditors’ work
Auditor should not rely on internal
auditors’ work
Low judgment/risk
Auditor can rely on internal auditors’
work but should reperform some of
the work
Auditor can rely on internal auditors’
work and may want to reperform some
of the work
Internal auditors refer to their level of objectivity as independence. This concept is discussed further in Module D.
Chapter 3 Engagement Planning and Audit Evidence 93
Using the Work of an Auditor-Employed or Auditor-Engaged Specialist
Gaining an understanding of the business can often lead to acquiring information that
reveals the need to employ audit specialists on the audit. Audit specialists are persons
skilled in fields other than accounting and auditing—actuaries, appraisers, attorneys,
environmental engineers, and geologists—who are not members of the audit team. Auditors are not expected to be experts in all fields of knowledge that can contribute information to the financial statements. Audit specialists can be employed by the auditor’s firm
(i.e., auditor-employed specialists) or engaged from an outside provider, referred to simply
as an auditor-engaged specialist. Specialists should typically be involved in planning meetings and supervised as other team members in accordance with professional standards.
When an auditor-engaged specialist is used, the audit engagement partner should assess
the specialist’s knowledge, skill, and ability in that particular area. This includes gaining
knowledge about his or her professional qualifications, experience, and reputation.
The engagement team must also assess the objectivity of the auditor-engaged specialist.
An auditor-engaged specialist should be unrelated to the company under audit if possible.
Regardless of whether the specialist is auditor-employed or auditor-engaged, the engagement
partner and team should clearly inform the audit specialist of the work to be performed and
of any matters that may affect his or her work. The engagement partner and audit team must
also evaluate the work of the specialist. The extent of the evaluation is contingent upon the
reliance on the specialist’s work, the risk of material misstatement in the area, the experience
and skill of the specialist, and the objectivity of the specialists. Provided that some additional
auditing work is done on the data that the audit specialist uses in reaching his or her conclusions, auditors may rely on the work of an audit specialist in connection with audit decisions.
Normally, audit specialists are not referred to in the auditor’s report unless they are involved
in addressing a critical audit matter disclosed in the audit report or unless their findings (e.g.,
a difference in an estimate from that of management) cause the auditors’ report to be modified (e.g., because of a GAAP departure). In these cases, references to the findings of the
audit specialists may facilitate a better understanding of the nature of the GAAP departure.
Using the Work of a Company’s Specialist
Auditors may also use the work of a company’s specialist as audit evidence. Much like when
using the work of internal auditors, external auditors must consider the objectivity and competence, specifically the knowledge, skill, and ability, of the company specialist. As with
the auditor-engaged specialist, the auditor must evaluate the work of the company specialist,
including evaluating any data, methods, or assumptions made by the specialist. Similarly,
the extent of the evaluation is contingent upon the risk of material misstatement in the area,
the significance of the company specialist’s work to the auditor’s conclusion, the knowledge,
skill, and ability of the specialist, and the objectivity of the specialist’s judgment.
The Auditing Insight below provides a glimpse into how auditors in practice use the
work of specialists.
AUDITING INSIGHT
How do auditors really use specialists?
Determining the fair value of an asset or liability is difficult and subjective. Auditing assets and liabilities reported at fair value is even more
difficult and is one area where auditors are increasingly engaging specialists for help. But are auditors really using specialists the way they
should? Turns out, not really. In a recently published academic paper,
the author interviews auditors and valuation specialists and finds
that auditors don’t fully value the work done by valuation specialists.
Auditors use specialists to feel more secure in the performance of
the audit, however, they tend to not fully trust the results of the specialists. In short, auditors use the work of specialists for comfort, not
insight. Through interviews, the author discovers instances of auditors
editing and finalizing, deleting select information, and even ignoring
issues raised by valuation specialists. Auditors tend to make the work
of the specialists conform to their view, thus somewhat defeating the
purpose of using a specialist altogether. Based on these insights, it
appears that auditors have some work to do when it comes to the
proper use of specialists.
Source: E. Griffith, “Auditors, Specialists, and the Professional Jurisdiction
in Audits of Fair Values,” Contemporary Accounting Research, Spring 2020,
Vol. 37(1), pp. 245–276.
94 Part Two The Financial Statement Audit
Time Budget
The timing of the work and the number of hours that each segment of the engagement is
expected to take are detailed in a preliminary time budget. Time budgets are used to maintain control of the audit by identifying problem areas early in the engagement, thereby
ensuring that the engagement is completed on a timely basis. Time budgets are usually
based on the prior-year’s performance for continuing clients while considering changes in
the client’s business. In a first-time audit, the budget may be based on a predecessor auditor’s experience or on general experience with similar companies. Extra time also may
be assigned to those accounts containing the highest amount of audit risk. A simple time
budget for an audit engagement follows.
Audit Time Budget (Hours)
Interim
Gain an understanding of business
Evaluate internal audit function
Understand internal control system
Prepare audit plan
Investigate related party transactions
Meet with client personnel
Complete cash substantive testing
Complete accounts receivable substantive testing
Complete inventory substantive testing
Complete accounts payable substantive testing
Evaluate legal letters
Review financial statement
Prepare audit report
15
10
30
25
5
10
10
15
35
5
Year-End (Final)
10
15
18
15
5
20
35
20
25
12
This time budget is illustrative—actual time budgets are much more detailed and complex. Most budgets specify the expected time according to the level of staff people on the
team (partner, manager, in-charge accountant, staff assistant, IT specialist, tax specialist).
The illustration shows time at interim and at year-end. Interim audit work refers to procedures performed several weeks or months before the date of the financial statements.
(Account balances audited during interim are later rolled forward at year-end.) Year-end
audit work refers to procedures performed shortly before and after the date of the financial statements. Public accounting firms typically spread the workload during the year
by scheduling interim audit work so they will have enough time and people available
when several audits have year-ends on the same date. (December 31 is quite common.)
For many public accounting firms, the auditing “busy season” runs from September
through March of the following year. The interim work typically consists of risk assessment work, internal control testing, and substantive testing of balances as they exist at
the interim date.
Everyone who works on the audit engagement is typically required to report the time
taken to perform procedures for each phase of the audit. These time reports are recorded
by budget categories for the purposes of (1) evaluating the efficiency of the audit team
members, (2) compiling a record for billing the client, and (3) compiling a record for
planning the next audit. Although the purposes of a time budget are straightforward,
these budgets create job pressures. Staff members are under pressure to meet the budget,
and beginning auditors often experience frustration over learning how to complete their
audit work in an efficient manner. As a result, staff members may be tempted to “eat”
time, that is, underreport the actual number of hours spent to perform the audit work.
Eating time is considered unethical behavior. Many accounting firms have policies and
procedures prohibiting auditors from underreporting their time. Despite this, eating time
is still a common occurrence. However, for proper client billing and audit planning for
future audits, it is essential for auditors to truthfully report their time.
Chapter 3 Engagement Planning and Audit Evidence 95
REVIEW CHECKPOINTS
3.5 What must external auditors do to use the work of internal auditors in the audit of an entity’s financial
statements?
3.6 What must external auditors do to use the work of audit specialists in the audit of an entity’s financial
statements?
3.7 For a typical audit engagement, describe the people and skills that are normally assigned to a fullservice audit team.
MATERIALITY
LO 3-3
Define materiality and
explain its importance in the
audit planning process.
As you know, financial statement measurements and information in some footnote
disclosures are not flawlessly accurate. Management has the choice, for example, of depreciation method, inventory valuation method, and classification of marketable securities,
all of which affect final financial statement numbers. Furthermore, many financial measurements are based on estimates such as the estimated depreciable lives of fixed assets
or the estimated amount of uncollectible accounts receivable. Thus, net income is not
necessarily the one “true” figure but one possibility in a range of potential net income
figures allowable under the relevant reporting framework (e.g., GAAP or International
Financial Reporting Standards [IFRS]).
Given this range permitted, some amount of inaccuracy is allowed in financial statements.
This is because (1) unimportant inaccuracies do not affect users’ decisions and hence
are not material, (2) the cost of finding and correcting small misstatements is too high,
and (3) the time taken to find them would delay issuance of the financial statements.
Although not absolutely accurate, accountants and auditors do want to maintain that
financial reports are materially accurate and do not contain material misstatements.
As a result, to plan the nature, timing, and extent of further audit procedures to be performed, professional standards require an auditor to consider earnings and other factors
and determine an appropriate materiality level for the financial statements. Information is
considered material if it is likely to influence financial statement users’ decisions. When
referring to materiality, the standards rely on the definition as established by the Supreme
Court, that a fact is material if there is “a substantial likelihood that the . . . fact would
have been viewed by the reasonable investor as having significantly altered the ‘total
mix’ of information made available.” The emphasis in this definition is on the financial
statement users’ point of view, not on the auditors’ or managers’ point of view. Although
financial statement users are expected to have a basic knowledge of business and financial
statements as well as an understanding of the limitations of the audit process, auditors
remain conservative when setting the materiality level.6
Given this, the engagement partner needs to think carefully about the appropriate level
of materiality during the planning process. By doing so, the auditor helps to avoid unnecessary surprises on the audit engagement. Suppose that near the end of an audit, the partner decided that all misstatements of more than $50,000 should be considered material
but then realized that the nature, timing, and extent of substantive procedures had been
completed assuming a materiality level of $250,000! As a result, the nature, timing, and
extent of further audit procedures would have to be modified significantly, which would
likely be an unpleasant surprise for the engagement team.
The professional standards also require the auditor to evaluate the facts and circumstances of each engagement carefully to determine whether there are particular accounts
or disclosures where amounts lower than established materiality might influence the
6
PCAOB Release No. 2010-004, “AS 2105: Consideration of Materiality in Planning and Performing and Audit,” August 5, 2010.
96 Part Two The Financial Statement Audit
judgment of a reasonable financial statement user. If that is the case, the auditor must
determine an amount that would be considered a tolerable misstatement for that account
or disclosure when completing risk assessment procedures and further planning and
performing the necessary audit procedures in that area.7
Therefore, auditors use performance materiality (an amount less than materiality for
the financial statements as a whole) to make sure that the aggregate of uncorrected and
undetected immaterial misstatements does not exceed materiality for the financial statements as a whole. For example, auditors may use different amounts (smaller than overall
financial statement materiality) when auditing particular classes of significant transactions, account balances, or disclosures. The audit team cannot look at every significant
transaction, so the concept of performance materiality takes this risk into account. When
auditors use sampling, performance materiality is referred to as tolerable misstatement.
The extent to which performance materiality is based on the overall materiality is a
matter of professional judgment and, as a result, the amount may vary from auditor to
auditor, as could the methods for assigning performance materiality to accounts. The
auditing standards do not even require that the overall materiality amount be assigned
to individual accounts in dollar amounts. While there may be many different processes
for determining performance materiality, most auditors start with a top-down approach:
judging an overall material amount for the financial statements and then determining
performance materiality to particular accounts to help determine the amount of work to
be done in each area. Such a top-down approach is considered theoretically preferable
because this method requires the audit team to think first about the financial statements
taken as a whole.
Exhibit 3.5 below highlights the top-down approach and the relationship between overall materiality and performance materiality. As seen in the Exhibit, performance materiality may be impacted by the risk associated with the account. Auditors may choose to
set a higher performance materiality when risk is low versus when there is a high risk of
material misstatement. It should also be noted that overall materiality is not “allocated”
among the various audit areas. In other words, if one were to add all of the performance
materiality amounts assigned to the various areas of the audit, that sum would exceed
overall materiality.
Materiality Calculation
Although some accountants wish that standard setters could issue definitive, quantitative
materiality guidelines, many fear the rigidity that such guidelines would impose. Therefore, in the end, materiality is a matter of professional judgment that the engagement
partner must decide on each audit engagement. However, on each audit engagement, the
EXHIBIT 3.5
Top-Down Approach
to Overall Materiality
and Performance
Materiality Judgments
Overall Materiality
Performance Materiality for Classes of Transactions, Account Balances, or Disclosures
where risk of misstatement is low
Performance Materiality for Classes of
Transactions, Account Balances, or Disclosures
where risk of misstatement is high
7
Ibid.
Chapter 3 Engagement Planning and Audit Evidence 97
planning process begins with a calculation of a preliminary materiality amount that is
based on a relevant benchmark and a rule of thumb percentage applied to that benchmark.
The choice of appropriate benchmark relates directly back to what is most important
for the financial statement users and the industry in which the client operates. Auditors
most commonly use profit before tax (PBT), total net assets, or total revenues as the
benchmark for their initial determination of materiality, depending on the client industry.
Some examples of commonly used benchmarks per industry are
∙
∙
∙
∙
Asset based entities – total net assets.
Profit based companies, such as manufacturing – PBT.
High technology start-up companies – total revenue.
Nonprofit entities – gross revenue or total contributions.
The rule of thumb percentages applied to the benchmarks often range from 3–5 percent of PBT or 1/2–1 percent of revenue or total assets.
As noted, the percentages and benchmarks per industry are only rules of thumb and
will not be appropriate for all clients. If, for example, the PBT for a profit-based company
fluctuates widely, an average PBT over recent years may be a more appropriate benchmark
for materiality. Alternatively, if a profit-based company experienced a net loss, an alternative benchmark may be more appropriate to use to determine materiality. Amazon, the
internet retail giant, provides an example of both of these scenarios. For the fiscal year
2020, Amazon reported $24.2 billion in income before taxes (i.e., profit before tax). For
the years ended 2019 and 2018, Amazon reported $14.0 and $11.3 billion PBT, respectively. Using the rule of thumb of 3 percent of PBT, the overall materiality set for the
2020 Amazon audit would be approximately $725 million dollars. That amount is closer
to 6 percent of Amazon’s PBT in each of the prior years, in other words, twice the amount
of materiality from the prior two audits! In a situation like this, auditors may decide to
use the average PBT of the prior years to determine materiality. Although hard to believe
today, in 2002, Amazon reported a net loss of $149 million and net sales of $3.9 billion.
In a loss scenario such as this, auditors may decide using a percentage of sales or total
assets is a more appropriate benchmark for materiality. Of course, in the end, materiality
is a matter of professional judgment, keeping in mind what matters most to the financial
statement users.
Although standards require materiality to be expressed as a quantitative amount, auditors
must consider qualitative factors as well. The SEC cautions auditors about overreliance
on certain quantitative benchmarks to assess materiality, noting that “misstatements are
not immaterial simply because they fall beneath a numerical threshold.”8 Thus, auditors
must examine both quantitative and qualitative factors when assessing materiality. Some
of the more common qualitative factors that auditors use in making materiality judgments
are the nature of the item or issue, engagement circumstances, and possible cumulative
effects—all discussed in the following paragraphs.
Other Issues that Impact Materiality
Nature of the Item or Issue
An important qualitative factor is the descriptive nature of the item or issue. An illegal
payment is important primarily because of its nature as well as because of its absolute or
relative amount. In addition, the auditor would consider any type of fraud committed by
a member of management material regardless of the amount. Finally, generally speaking,
potential errors in the more liquid assets (cash, receivables, and inventory) are considered
more important than potential errors in other accounts (such as fixed assets and deferred
charges).
8
SEC, Staff Accounting Bulletin No. 99, “Materiality,” August 12, 1999.
98 Part Two The Financial Statement Audit
Engagement Circumstances
An auditor’s legal liability is always a relevant consideration when determining materiality. That is, auditors generally place extra emphasis on the detection of misstatements in
financial statements that will be widely used (such as those of public companies) or used
by important outsiders (such as bank loan officers). In addition, troublesome political
events in foreign countries can cause auditors to try to be more accurate with measurements and disclosures. Other circumstances that affect quantitative materiality involve
amounts that could turn a net loss into a profit or allow a company to meet earnings
expectations. In these circumstances, when management can exercise discretion over
an accounting treatment, auditors tend to exercise more care and use a more stringent
quantitative materiality criterion. Finally, matters surrounded by uncertainty about the
outcome of future events usually come under more stringent quantitative materiality
considerations.
Possible Cumulative Effects
At the end of each audit engagement, auditors must also evaluate the aggregate sum of known
or potential misstatements. For example, consider an audit for which overall materiality is set
at $50,000. If the audit test work revealed five individual $15,000 misstatements, they
would each, on their own, be considered immaterial. However, what if all five misstatements each had the effect of increasing net income? In that situation, the auditor must
factor in the probability that the aggregate of uncorrected and undetected misstatements
could exceed overall materiality for the financial statements. The following Auditing
Insight demonstrates the potential costly effect of cumulative errors.
AUDITING INSIGHT
Costly Cumulative Effects
In early 2019, Hertz, the rental car company giant, agreed to pay a
$16 million penalty to the SEC over accounting errors that lead to
material misstatements in the audited financial statements for 2012
and 2013, as well as portions of the unaudited 2011 financial statements. Hertz identified 17 areas with material accounting errors
across several business units, including one misstatement valued at
$48 million. The cumulative effect of the misstatements resulted not
only in the hefty SEC fine, but a reduction in previously reported pretax income of $235 million.
Source: “SEC Penalizes Hertz $16M for Accounting Violations,” Accounting
Today, January 12, 2019.
How Auditors Use Materiality
Although we have presented a number of different factors affecting overall materiality,
decisions about materiality ultimately remain a function of auditors’ professional
judgment. Many experienced auditors will state that these judgments are among the most
difficult they make. Materiality is one of the most important audit concepts you will learn
about because of its pervasive effect on the audit engagement. To summarize, on an audit
engagement, the audit team uses materiality three ways:
1. As a guide to planning substantive testing procedures—directing attention and audit
work to those items or accounts that are important, uncertain, or susceptible to material
misstatements.
2. As a guide for determining performance materiality to help make sure that the aggregate of
uncorrected and undetected immaterial misstatements does not exceed the materiality
level for the financial statements as a whole. For example, auditors may use an amount
smaller than overall financial statement materiality when auditing particular classes of
significant transactions, account balances, or disclosures.
3. As a guide for making decisions about the audit report. An account such as inventory
can be material in an audit context because of its size or its place in the financial
statements.
Chapter 3 Engagement Planning and Audit Evidence 99
REVIEW CHECKPOINTS
3.8
What is meant by material information in accounting and auditing?
3.9
What is the difference between overall materiality and performance materiality?
3.10 What qualitative factors can impact materiality?
3.11 How does an audit team use materiality on an audit engagement?
AUDIT PROCEDURES FOR OBTAINING AUDIT EVIDENCE
LO 3-4
List and describe the eight
general types of audit
procedures for gathering
evidence.
Auditors use audit procedures for three purposes. First, they use audit procedures to gain
an understanding of the client and the risks associated with the client (risk assessment
procedures). These procedures are covered in detail in Chapter 4. Second, auditors use
audit procedures to test the operating effectiveness of client internal control activities
(tests of controls) discussed in Chapter 5. Finally, auditors use audit procedures to produce evidence about management’s assertions (i.e., relating to existence, occurrence,
completeness, cutoff, rights and obligations, valuation and allocation, accuracy, presentation, and classification) related to the amounts and disclosures in a client’s financial
statements. Exhibit 3.6 shows the relationship among the assertions, the types of evidence available to the auditor, and the procedures most closely related to each.
EXHIBIT 3.6 Assertions, Evidence, and Audit Procedures
PCAOB Assertions
ASB Assertions
What Could Go Wrong?
Examples of Evidence
Available
Representative Audit
Procedures
Existence or
occurrence
Existence
Do the assets recorded really
exist?
The physical presence of the
assets
Inspection of tangible assets
Occurrence
Did the recorded sales
transactions really occur?
Client shipping documents
Inspection of records or
documents (vouching)
Rights and
obligations
Rights and
obligations
Does the entity really own
the assets? Are related legal
responsibilities identified?
Statements by independent
parties
Confirmation
Completeness
Completeness
Are the financial statements
(including footnotes)
complete?
Documents prepared by the
client
Inspection of records or
documents (tracing)
Cutoff
Were all transactions recorded Client receiving, shipping
in the proper period?
reports
Inspection of records or
documents (tracing or
vouching)
Valuation or
allocation
Are the accounts valued
correctly?
Client-prepared accounts
receivable aging schedule
Reperformance
Accuracy
Were transactions recorded
accurately?
Vendor invoices
Inspection of records or
documents (tracing or
vouching)
Presentation
Are transactions and events
appropriately presented and
clearly described?
Management-prepared
financial statements and
footnotes
Inquiry
Classification
Were all transactions recorded Comparisons of current-year
in the proper accounts?
amounts with those from the
prior year
Valuation and
allocation
Presentation
and disclosure
Analytical procedures
100 Part Two The Financial Statement Audit
EXHIBIT 3.7A
Dunder-Mifflin Trial
Balance, December 31,
2023
Revenue and collection cycle
Acquisition and expenditure cycle
Production cycle
Finance and investment cycle
Debit
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Cash
Accounts receivable
Allowance for doubtful accounts
Sales
Sales returns
Bad debt expense
Inventory
Fixed assets
Accumulated depreciation
Accounts payable
Accrued expenses
General expense
Cost of goods sold
Depreciation expense
Bank loans
Long-term notes
Accrued interest
Capital stock
Retained earnings
Dividends declared
Interest expense
Income tax expense
600,000
500,000
200,000
44,000
1,500,000
3,000,000
2,000,000
6,296,000
300,000
0
60,000
120,000
14,620,000
Credit
40,000
9,200,000
1,500,000
450,000
50,000
0
600,000
60,000
2,000,000
720,000
14,620,000
Once the risk assessment procedures have been completed and the relevant financial
statement assertions have been identified, an auditor then considers whether specific control activities are in place to prevent or detect a misstatement related to each of the relevant
financial statement assertions. Ultimately, the audit plan needs to specify a list of procedures
that must be completed to gather sufficient and appropriate evidence directed toward achieving particular audit objectives. For example, an internal control audit plan would contain the
specific procedures needed to obtain an understanding of the client’s internal control system
and test that understanding for those controls that relate to the relevant financial statement
assertions. If the auditor decides to rely on specific internal control activities, the plan would
also identify the specific types of tests of controls that would need to be completed to validate
the operating effectiveness of the internal control activities.
A substantive audit plan would contain a list of audit procedures for gathering evidence
related to the relevant assertions identified for an audit client’s significant financial statement accounts and disclosures. The substantive audit plan (i.e., the nature, timing, and
extent of further procedures) depends almost exclusively upon the assessment of risk at
an audit client. As an example, consider the nature of procedures. There are two ways to
conduct substantive tests: (1) substantive analytical procedures and (2) tests of details.
When completing analytical procedures to gather evidence, the auditor must develop
an independent expectation of what he or she thinks the account balance should be. Once
this is developed, the expectation is compared to the recorded amount. Any significant
differences must be investigated and then corroborated with evidence. When applying
substantive test of details, the auditor must seek to understand the account balance and/or
economic transaction to ensure, based on valid and reliable evidence, that the amount was
recorded in accordance with the applicable financial reporting framework. In general, analytical procedures are considered more efficient while a test of details is considered more
effective. Thus, an auditor must take great care in determining the nature of the testing procedure (i.e., substantive analytical procedure or test of detail) to specify in the audit plan.
To simplify the audit plan, auditors typically group the accounts into cycles (see
Exhibit 3.7A). A cycle is a set of accounts that are logically grouped in the internal control system, which has been designed to produce the financial statements and notes (see
Exhibit 3.7B). Most audit firms recognize four cycles, and each of these cycles is featured
Chapter 3 Engagement Planning and Audit Evidence 101
EXHIBIT 3.7B Dunder-Mifflin Unaudited Financial Statements
FINANCIAL POSITION
Cash
Accounts receivable
Inventory
$ 600,000
460,000
1,500,000
$2,560,000
Current Assets
Fixed assets (net)
Accum. depreciation
$3,000,000
(1,500,000)
Fixed Assets (net)
$1,500,000
Total Assets
$4,060,000
RESULTS OF OPERATIONS
Sales (net)
Cost of goods sold
Accounts payable
Accrued expenses
$ 450,000
110,000
Current Liabilities
$ 560,000
Long-term debt
Capital stock
Retained earnings
Total Liabilities
and Stockholder Equity
$ 600,000
2,000,000
900,000
$4,060,000
$9,000,000
6,296,000
Gross Profit
General expenses
Bad debt expense
Depreciation expense
Interest expense
Operating income
before taxes
Income tax expense
$2,704,000
$2,000,000
$ 44,000
300,000
60,000
Net Income
$ 180,000
$ 300,000
120,000
NOTES TO FINANCIAL STATEMENTS
1. Accounting Policies
2. Inventories
3. Plant and Equipment
4. Long-Term Debt
5. Stock Options
6. Income Taxes
7. Contingencies
Etc.
CASH FLOWS
Operations:
Net income
Depreciation
Increase in accounts receivable
Decrease in inventory
Decrease in accounts payable
Decrease in accrued expenses
Decrease in accrued interest
$ 180,000
300,000
(141,500)
50,000
( 25,000)
( 15,000)
( 20,500)
Cash Flow from Operations
$ 328,000
Investing Activities:
Purchase Fixed Assets
$
Financing Activities:
Repay bank loan
Repay notes payable
$(275,000)
(200,000)
Financing Activities
$(475,000)
Increase (decrease) in cash
Beginning balance
$(146,500)
746,500
Ending Balance
$ 600,000
0
in a chapter of this book: (1) the revenue and collection cycle (Chapter 7), (2) the acquisition and expenditure cycle (Chapter 8), (3) the production cycle (Chapter 9), and (4) the
finance and investment cycle (Chapter 10). Using the revenue and collection cycle as an
example, the idea of the cycle organization is to group accounts (sales, accounts receivable, cash) related to one another by the transactions that normally affect them all. This
cycle starts with a sale to a customer along with recording an account receivable, which is
later collected in cash or provided for in the allowance for doubtful accounts.
REVIEW CHECKPOINTS
3.12 What are the two primary ways to conduct substantive tests? Explain how the tests are different.
3.13 Identify the four cycles featured in Dunder-Mifflin’s accounting system featured in Exhibit 3.7A.
Next, list the financial statement accounts that can be identified within each of the cycles identified
as featured in Exhibit 3.7B.
As a rule, auditors use eight general audit procedures to gather evidence: (1) inspection
of records and documents (vouching, tracing, scanning), (2) inspection of tangible assets,
102 Part Two The Financial Statement Audit
(3) observation, (4) inquiry, (5) confirmation, (6) recalculation, (7) reperformance, and
(8) analytical procedures. Many of these procedures are performed or aided by the use of
computer-assisted audit techniques (CAATs) such as the IDEA or ACL programs. In this
book, we have integrated the IDEA software package, a CAAT program used by many
audit professionals, to help students understand how these procedures are performed in
practice. The “Using IDEA in the Audit” excerpt following the discussion of the various
audit procedures is designed to help you get started in IDEA.
In the following sections, we discuss each of the eight aforementioned audit procedures in more detail.
1. Inspection of Records and Documents
Much auditing work involves gathering evidence by examining authoritative documents,
either in paper form or, more increasingly, in electronic form, prepared by independent
parties and by the client. Auditors frequently inspect such documents to ensure they contain the correct information and/or authorization. Such documents can provide “evidence
of varying degrees of reliability, depending on their nature and source,” regarding many
of management’s financial statement assertions.
Documents Prepared by Independent Outside Parties
The most reliable form of documentary evidence is external, which means that the document was received directly from an independent outside third party (e.g., a bank). External documents can be either formal or informal. Formal documents are less susceptible
to alteration, if electronic they have controls in place to make them difficult to alter or
change, if paper they may have seals or other distinctive attributes. Formal documents,
therefore, are more reliable than informal external documents. Examples of formal external documents include bank statements, title papers, and insurance policies, whereas
informal external documents include vendor invoices, simple contracts, and written correspondence. Regardless, when either type of document is received directly from an independent outside party, the evidence is considered reliable.
In addition, a great deal of documentary evidence is considered external-internal,
which means that the documents were initially prepared by an external third party but
they were received by the client first and then given to the auditor. Since the client had
possession of the documents, there is always a possibility that the client altered the documents. As a result, external-internal documents are not as reliable as external documents.
Documents Prepared and Processed by the Client
Documentation of this type is referred to as internal evidence. Some of these documents
may be quite informal and not very authoritative or reliable. When such documents are
prepared by the client but are mailed to third parties, they become slightly more reliable.
However, as a general proposition, the reliability of these documents depends on the
quality of internal control under which they were produced and processed. Because the
client produces the evidence, an auditor must perform additional testing on this type of
information before placing any reliance at all on the internal evidence. Some of the most
common of these documents are
1.
2.
3.
4.
5.
6.
Sales invoice copies
Sales summary reports
Cost distribution reports
Loan approval memos
Budgets and performance reports
Documentation of significant transactions with subsidiaries
7.
8.
9.
10.
11.
12.
Shipping documents
Receiving reports
Requisition slips
Purchase orders
Credit memos
Transaction logs
Vouching—Examination of Documents
When testing the existence or the occurrence assertion, the auditor will take the vouching direction when examining documents. The important point about vouching is that the
Chapter 3 Engagement Planning and Audit Evidence 103
auditor begins the search for evidence by focusing on transactions that have already been
recorded in the financial statements. In vouching, an auditor selects an item in the financial
records, usually from a journal or ledger, and follows its path back through the processing steps to its origin (i.e., the source documentation that supports the item selected from
the ledger). Consider a revenue entry made in the financial statements. For that entry, the
auditor will find the journal entry, the sales summary, the sales invoice copy, the shipping documents, and, finally, the sales order from the customer. Vouching of documents
can help auditors decide whether all recorded significant transactions are adequately supported (the existence and occurrence assertions), but vouching does not provide evidence
to show whether all significant transactions were actually recorded (the completeness
assertion). However, if the auditors verify amounts during their testing, evidence regarding valuation and allocation also may be obtained while vouching documents.
Tracing—Examination of Documents
When testing the completeness assertion, the auditor will take the tracing direction when
examining documents. When taking the tracing direction, the auditor selects a basic source
document and follows its processing path forward to find its final recording in a summary
journal or ledger and ultimately the financial statements. For example, samples of shipping documents can be obtained from the warehouse and then traced to sales invoices, the
sales journal, and ultimately their recording in the financial statements as revenue earned.
Using tracing, an auditor can decide whether all significant transactions and events that
should have been recorded actually were recorded (the completeness assertion). In doing so,
the auditor complements the evidence obtained by vouching. This implies that an auditor
must always be alert to events that were not entered into the accounting system. For example, the search for unrecorded liabilities for raw materials purchases must include examination of invoices received in the period following the fiscal year-end and examination of
receiving reports dated near the year-end. In practice, it is important to remember that the
direction of the examination of documents is critical in relation to the assertion being tested.
Summary Listing
(Sales Journal)
Vouching
(Would be used to
test the existence or
occurrence assertion.
The audit test would
be designed to answer
the following question:
Did all recorded sales
occur?)
Tracing
(Would be used to test
the completeness assertion.
The audit test would be
designed to answer
the following question:
Were all shipments
made to customers
actually recorded as
sales?)
Source Documents
(Shipping Documents)
Scanning—Examination of Documents
Scanning is the way auditors exercise their general alertness to unusual items and events
in clients’ documentation. A typical scanning directive in an audit plan is “Scan the
expense accounts for credit entries; vouch any to source documents.”
In general, scanning is an “eyes-open” approach of looking for anything unusual. The
scanning procedure usually does not produce direct evidence itself, but it can raise questions related to other evidence that must be obtained. Scanning can be accomplished
on digital records by using CAATs to select records that are exceptions to the auditors’
criteria. For example, CAATs can easily scan client’s data for (1) accounts receivable
104 Part Two The Financial Statement Audit
balances for amounts over the credit limit, (2) inventory quantities for negative balances
or unreasonably large balances, (3) payroll files for terminated employees, (4) loan files
for loans with negative balances, (5) debits in revenue accounts, and (6) credits in expense
accounts, to name a few. Scanning can contribute some evidence related to the existence
of assets and the completeness of accounting records, including the proper cutoff of significant transactions.
2. Inspection of Tangible Assets
Inspection of tangible assets includes examining property, plant, and equipment; inventory; and securities certificates. Physical inspection of tangible assets provides compelling evidence of existence and may provide tentative evidence of valuation. For example,
audit team members can verify the existence of specific pieces of equipment listed on
the client’s fixed asset register by locating them and noting their condition (valuation).
However, inspection does not necessarily provide evidence that the entity owns the assets
(rights). For example, fixed assets on the client’s premises may be leased under operating
lease agreements, and inventory inspected by auditors may be held on consignment. The
following Auditing Insight discusses innovative ways firms are using technology to help
improve the inspection of inventory and tangible assets.
AUDITING INSIGHT
Fly-by Audit Procedures?
Technology is changing the look of the traditional inventory observations and asset inspections for the better. The Big 4 audit firms have
recently begun using drone technology to help make the audit more
efficient and effective. One-way drones are being used is to get a better view of hard to count inventory items, such as crops, livestock, and
coal reserves. Inventory observations that would have taken auditors
hours to perform now take a fraction of the time with more reliable
results. This allows auditors to focus their attention on identifying and
responding to areas of risk.
Sources. “EY Scaling the use of Drones in the Audit Process”, EY.com,
June 13, 2017; “PwC uses drone in audit for first time” Economia,
January 2, 2019; “How Drones are Being Used in Audit”, Discoveraudit.
org, Dec 14, 2017.
3. Observation
Although inventory observation often refers to the physical inspection of inventory (i.e.,
tangible assets), auditors use observation when they view the client’s physical facilities
and personnel on an inspection tour, when they watch personnel carry out accounting and
control activities (such as observing client inventory counts), and when they participate
in a surprise payroll distribution. Observation also can produce a general awareness of
events in the client’s offices. In this sense, observation is commonly used as a test of
controls.
4. Inquiry
Inquiry is a procedure that generally involves the collection of verbal evidence from independent parties and management (commonly referred to as written representations or
management representations). Important inquiries and responses should be documented
by the auditor in the workpapers. Auditors typically use inquiry procedures during
the early planning stages of the engagement. Evidence gathered by formal and informal inquiry generally cannot stand alone as convincing, and auditors must corroborate
responses with independent findings based on other procedures. In fact, the professional
standards state that “inquiry alone” is never enough to reach an audit conclusion. An
exception to this general rule might be a negative statement in which someone volunteers
adverse information such as an admission of theft, fraud, or use of an accounting policy
that is misleading. However, even in such a situation, an auditor would most likely follow
up to obtain documentary evidence to support the negative statement.
Chapter 3 Engagement Planning and Audit Evidence 105
AUDITING INSIGHT
Verbal Inquiry = Interview
Auditors conduct interviews almost every day. Sometimes these seem
more like casual conversations than “interviews.” Nevertheless, the
following guidelines for the inquiry/interview procedure can help
you obtain good information and maintain good relations with client
personnel.
a questionnaire or checklist; doing so makes the interview too
mechanical. You can take informal notes to remember the substance of the interview.
1. Prepare. Think about the information you want to obtain, the questions to ask, and the best person to interview.
4. Ask questions. Fill in the gaps in the person’s description or explanation by asking prompting questions to elicit additional descriptions and explanations. Start with broad, open-ended questions
and use specific questions to obtain more detail.
2. Make an appointment. Call in advance for a time or at least ask
permission to interrupt: “Do you have time to talk with me about
[subject]?” Introduce yourself and make enough conversation to
warm up the person without wasting time.
6. Be noncommittal. Refrain from expressing your own value judgments or criticisms while you talk with the client personnel. Don’t
reveal any audit-sensitive information.
3. Be conversational. Try to get the person to describe the accounting, the controls, or whatever the subject in his or her own words.
You will get more information. Just firing off questions makes the
meeting an interrogation. Most auditors find it difficult to think
of all of the right questions ahead of time anyway. Don’t exhibit
5. Listen carefully. Repeat items you don’t completely understand.
7. Close gracefully. Thank the person for the time and information.
Ask permission to return later for “anything I forgot.”
8. Document the interview. Write a memorandum for the audit documentation. Now you can get out the questionnaire or checklist,
complete it, and see whether you overlooked anything important.
5. Confirmation
Confirmation by direct correspondence with independent parties is a procedure widely
used in auditing. It can produce evidence of existence and rights and obligations and
sometimes of valuation and cutoff. Auditors typically limit their use of confirmation to
significant transactions and balances about which outside parties could be expected to
provide information. A selection of confirmation applications includes the following:
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
Banks—cash and loan balances.
Customers—receivables balances.
Borrowers—note terms and balances.
Agents—inventory on consignment or in warehouses.
Lenders—note terms and balances.
Policyholders—life insurance contracts.
Vendors—accounts payable balances.
Registrar—number of shares of stock outstanding.
Attorneys—litigation in progress.
Trustees—securities held, terms of agreements.
Lessors—lease terms.
Several points about confirmations are important to remember. First, confirmation letters are typically printed on the client’s letterhead and signed by a client officer; third
parties usually do not release information without client permission. Second, confirmation requests should seek information the recipient can supply, such as the amount of a
balance or the amounts of specified invoices or notes. Third, the audit firm should control
confirmations rather than giving them to client personnel for mailing. The audit team
should be very careful that the recipient’s address is reliable and not subject to alteration
by the client in such a way as to misdirect the confirmation. Fourth, responses should be
returned directly to the audit firm, not to the client. And last, auditors are increasingly
using technology to aid and improve the confirmation process.
Auditors are using technology in both the confirmation selection and execution process.
Auditors can use CAATs to program statistical or judgmental criteria for selecting
customers’ accounts receivable, loans, and other receivables for confirmation. In addition, the use of electronic confirmations by auditors (e.g., confirmation.com) has led to
106 Part Two The Financial Statement Audit
improvements in both the effectiveness and the efficiency of the confirmation process.
The use of electronic confirmations is covered in detail in Chapter 6.
6. Recalculation
Auditor recalculation of computations previously performed by client personnel produces
compelling evidence. A client calculation must always be mathematically accurate. Client calculations performed by computer programs can be recalculated using CAATs with differences
printed out for further audit investigation. Mathematical evidence can serve the objectives of
existence and valuation for financial statement amounts that exist principally as calculations,
for example, depreciation, interest expense, pension liabilities, actuarial reserves, bad debt
reserves, and product guarantee liabilities. Recalculation, in combination with other procedures, is also used to provide evidence of valuation for all other financial data.
7. Reperformance
Although similar to recalculation, reperformance is much broader in approach. As discussed in Chapter 4, reperformance is commonly used by auditors while completing
walkthroughs when gaining an understanding of a client’s internal control system. In
fact, reperformance can generally be completed for any client control procedure such as
matching vendor invoices with supporting purchase orders and receiving reports. Reperformance may be done either manually or with the assistance of CAATs. An auditor, for
example, can verify that an accounts receivable aging schedule was prepared properly by
sorting accounts receivable by due date.
8. Analytical Procedures
Auditors can evaluate financial statement accounts by developing expectations about what
an account balance should be based on an analysis of relevant financial and nonfinancial
data. When an auditor compares the expectation to a recorded balance, analytical procedures
are being performed. Auditors are required to use them when planning the audit and when
performing the review of the financial statements near the end of the audit before the audit
report is issued. In addition, auditors use analytical procedures to provide evidence about
management’s financial statement assertions during the testing phase of the audit.
Analytical procedures take the five general forms shown in the following table. Auditors need to be careful to use independent, reliable information for analyses. The sources
of information shown for the analytical procedures are very important, and auditors must
gain comfort over the information that is used to develop expectations during analytical
procedures. CAATs are useful when developing expectations as they can match data in
separate files to help extract the data necessary to make comparisons between financial
and nonfinancial information. In addition, CAATs can be used to extract the data necessary to make comparisons to other companies in the same industry.
Analytical Procedures
Sources of Information
1. Comparison of current-year account balances to balances of one or
more comparable periods
Financial account information for comparable period(s)
Example: Current-year cost of goods sold compared to last year’s
balance
Company budgets and forecasts
Example: Current-year cost of goods sold compared to the
company’s budgeted amount
Financial relationships among accounts in the current period
Example: Relationship between inventory and cost of goods sold
2. Comparison of current-year account balances to anticipated results
found in the company’s budgets and forecasts
3. Evaluation of the relationships of current-year account balances to
other current-year balances for conformity with predictable patterns
based on the company’s experience
4. Comparison of current-year account balances and financial
relationships (e.g., ratios) with similar information for the industry in
which the company operates
5. Study of the relationships of current-year account balances
with relevant nonfinancial information (e.g., physical production
statistics)
Industry statistics
Example: Comparing inventory and cost of goods sold levels to
comparable companies in the industry
Nonfinancial information such as physical production statistics
Example: Comparing the number of unfilled orders to inventory and
cost of goods sold levels
Chapter 3 Engagement Planning and Audit Evidence 107
Because of their effectiveness in directing attention to high-risk areas, professional
standards require that analytical procedures be used during planning and during final
evaluation phases of the audit. Although not required to be used during the substantive
testing phase of the engagement, auditors must consider the value of using substantive
analytical procedures, especially because they are usually less costly than more detailed,
document-oriented procedures. The professional standards clearly indicate that a wellplanned analytical procedure conducted during the substantive testing phase can be quite
effective if executed properly. The increased use of data and analytics in the audit, discussed further in Module G, has improved both the execution and frequency of use of
substantive analytical procedures. Consequently, analytical procedures often take a prominent place in the audit plan. When applying substantive analytical procedures to gather
evidence in this manner, it is important to remember that any significant differences must
be investigated and corroborated with evidence.
AUDITING INSIGHT
Accessing Client Data
The first step in using a CAAT like IDEA is to gain access to
the client’s data. The data may be available in multiple forms,
depending on the audit client’s unique computing environment.
However, IDEA is designed to be flexible enough to handle
multiple computing environments. Your instructor will provide
you with access to the IDEA software and the latest electronic
version of the IDEA Data Analysis Workbook. Your instructor
will also provide you with access to the data files for the audit
procedures to be completed for Accounts Receivable, Accounts
Payable, and Inventory.
For each set of files, your first step is to import the client’s data
into the IDEA software. We suggest that you complete this step
for each of the areas that have been assigned by your instructor.
To proceed, please refer to the IDEA workbook provided by your
instructor for step-by-step instructions on how to properly import
each file.
REVIEW CHECKPOINTS
3.14 What is meant by (a) vouching, (b) tracing, and (c) scanning? What is the difference between
vouching and tracing?
3.15 Identify and then briefly explain the eight general audit procedures used to gather evidence. Next,
please provide an example for each of the eight procedures.
3.16 What are the five types of general analytical procedures? List five sources of information for analytical procedures.
3.17 When are analytical procedures required during an audit engagement?
AUDIT DOCUMENTATION
LO 3-5
Define what is meant by the
proper form and content of
audit documentation.
An engagement is not complete without preparation of proper documentation. PCAOB
AS 1215 defines audit documentation as
The written record of the basis for the auditor’s conclusions that provides the support for
the auditor’s representations, whether those representations are contained in the auditor’s
report or otherwise.9
In other words, audit documentation provides the auditors’ record of compliance with
generally accepted auditing standards. The documentation (often referred to as workpapers despite that it is typically in electronic format) should contain support for the
decisions regarding planning and performing the audit, procedures performed, evidence
9
PCAOB Release No. 2004-006, “AS 1215: Audit Documentation,” June 9, 2004.
108 Part Two The Financial Statement Audit
obtained, and overall conclusions reached near the end of the audit. Even though the
auditors legally own the audit documentation, professional ethics require that the files
not be transferred without the client’s consent because of the confidential information
recorded in them.
Audit documentation can be classified in two categories: (1) permanent files (which
contain information that is relevant to ongoing client relationships) and (2) current files
(which relate to just one year of the client relationship). The following sections describe
the information contained in each file in more detail.
Permanent Files
The continuing audit files (or permanent files) contain information of continuing audit significance over many years’ audits of the same client. The audit team may use this file year
after year, but each year’s current audit documentation is stored after the files have served
their purpose. Documents of permanent interest and applicability include
1. Copies or excerpts of the corporate or association charter, bylaws, or partnership agreement.
2. Copies or excerpts of continuing contracts such as leases, bond indentures, and royalty
agreements.
3. A history of the company, its products, markets, and background.
4. Copies or excerpts of minutes of meetings of stockholders and/or directors on matters
of lasting interest.
5. Continuing schedules of accounts with balances that are carried forward for several
years, such as owners’ equity, retained earnings, partnership capital, and the like.
6. Copies of prior-years’ financial statements and audit reports.
7. Client organization chart.
Copies of financial statements and auditors’ reports from prior years also may be
included. Public accounting firms collect articles and other information regarding a client
and key personnel throughout the year. This information is often placed in the permanent
file to facilitate a review of the client prior to continuing the relationship. Because of the
importance of the documents contained and summarized in this one place, the permanent
file is a ready source of information for familiarization with the client by new personnel
on the engagement.
Current Files
The current files include all client acceptance or continuance documentation along
with planning documentation for the year under audit. They usually include the engagement letter, staff assignment notes, conclusions related to understanding the client’s
business, results of preliminary analytical procedures, assessments of audit risks, and
determination of audit materiality. Many public accounting firms follow the practice
of summarizing these data in a planning memorandum with specific directions about the
impact on the audit.
Basically, the planning memorandum summarizes all important overall planning
information and documents that the audit team is following generally accepted auditing
standards. All planning becomes a basis for preparing the audit plan, which is a list of
the audit procedures to be performed by the audit team to gather sufficient appropriate
evidence on which to base the opinion on the financial statements. Auditing standards
require a documented audit plan for each relevant assertion on the audit.
The planning documentation must include a listing of each significant account and
disclosure in the client’s financial statements. According to the professional standards,
if there is a chance the account could contain a misstatement that is material, it should
be identified as significant. The documentation also must include a listing of each relevant financial statement assertion related to the significant accounts and disclosures.
According to the professional standards, if the assertion has “a reasonable possibility of
Chapter 3 Engagement Planning and Audit Evidence 109
containing a misstatement that would cause the financial statements to be materially misstated,”10 it must be categorized as relevant. Documentation of the significant accounts
and disclosures, along with the relevant assertions, forms the basis of the current file
documentation.
Audit documentation should be prepared in sufficient detail to provide a clear understanding of its purpose, its source, and the overall conclusions reached near the end of the
audit. The audit documentation communicates the quality of the audit, so it must be clear,
concise, complete, neat, well indexed, and informative. Each workpaper must be complete in the sense that it can be removed from the audit documentation file and considered
on its own with proper cross-references available to show how the document coordinates
with other audit documentation. In other words, the documentation must be sufficient
to enable an experienced auditor, having no previous connection with the engagement,
to understand (1) the nature, timing, extent, and results of procedures; (2) the overall
conclusions reached with respect to the area covered by the audit documentation; and (3)
the audit team member performing the work, the date of work, the audit team member
reviewing the work, and the date of review. The audit documentation should also be sufficient to allow another auditor to reperform the work if necessary.
The most important facet of the current audit evidence documentation files is the
requirement that they show the auditors’ conclusions. The documentation must record the
management assertions that were audited, the evidence gathered about them, and final
conclusions. Professional audit standards require the audit documentation to show that
(1) the client’s accounting records agree or reconcile with the financial statements, (2)
the work was adequately planned and supervised, (3) a sufficient understanding of the
client’s internal control was obtained, and (4) sufficient appropriate audit evidence was
obtained as a reasonable basis for an audit opinion. Common sense also dictates that the
audit documentation be sufficient to show that the financial statements conform to the
relevant accounting framework and that the disclosures are adequate. The audit documentation also should explain how exceptions, unusual accounting questions, and findings
contradictory to the audit team’s final conclusions were resolved or treated. In addition,
the resolution of any differences among audit team members must be documented. Taken
altogether, these features should demonstrate that all auditing standards were observed
and executed.
Audit Documentation Arrangement and Indexing
Each public accounting firm has a different method of arranging and indexing audit documentation files. In general, however, the documentation is electronically hyperlinked
and numbered in order behind the trial balance according to balance-sheet and incomestatement captions. Usually, the current assets are numbered (or indexed) first, followed
by fixed assets, other assets, liabilities, equities, income, and expense accounts. A lead
schedule is a summary of the accounts or components in an account group. For cash, the
lead schedule includes all of the company’s cash accounts. For inventory, the lead schedule may include inventory amounts by product line, cost of goods sold, and reserves for
obsolescence. The amounts on the lead schedule should agree with prior-year numbers,
the current-year general ledger amounts, and, after any adjustments, the audited financial statements. To help better visualize, the typical arrangement is shown in writing in
Exhibit 3.8.11
Several audit documentation preparation techniques are quite important for the quality
of the finished product. The points explained here are illustrated in Exhibit 3.9.
10
PCAOB Release No. 2007-005A, “AS 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An
Audit of Financial Statements,” June 12, 2007.
11
Apollo Shoes, the comprehensive audit case accompanying this text, utilizes electronic workpapers. The Apollo Shoes minicases provide good examples to students of how electronic workpapers appear and are organized, which is similar to that
shown in Exhibit 3.8.
110 Part Two The Financial Statement Audit
EXHIBIT 3.8 Current Audit Documentation File
Dunder-Mifflin Inc.
Inventory Lead Schedule
12/31/23
Other Lead
Schedules
Dunder-Mifflin Inc.
Accounts Receivable Lead Schedule
12/31/23
Dunder-Mifflin Inc.
Bank Confirmation—First National Bank
12/31/23
Supporting
Schedules
Dunder-Mifflin Inc.
Bank Reconciliation—1st National Bank
12/31/23
Ref
--A-1
B-1
C-1
Account Unaudited
------- --------Cash
$486,000
A/R
Inventory
A-2-1
A-2
Audited
Balance
------$484,000
Ref Account
Unaudited
--- --------------A-2 1st National $484,000
AJE
----
A-3 2nd National
2,000
$50,000
52,000
$486,000
$50,000
$536,000
TB-1
AJE
-------$50,000
B-1
A-1
Dunder-Mifflin Inc.
Cash Lead Schedule
12/31/23
Dunder-Mifflin Inc.
Working Trial Balance
12/31/23
C-1
TB-1
Audited
Balance
-------$536,000
Cash
Expenses
Dunder-Mifflin Inc.
Adjusting Entries
12/31/23
Dr.
-------$50,000
TB-3
Cr.
-----$50,000
∙ Indexing. Each document (e.g., each worksheet an Excel workbook) is given an index
number, like a book page number, so it can be found, removed, and replaced without
loss.
∙ Cross-referencing. Numbers or memoranda related to other documents carry the index
of the other documents so the connections can be followed. Electronic documents will
include hyperlinks to documents cross-referenced.
∙ Heading. Each document is titled with the name of the company, the balance-sheet
date, and a descriptive title of the document’s contents.
∙ Signatures and initials. The auditor who performs the work and the supervisor who
reviews it must sign the audit documentation so personnel can be identified.
∙ Dates of audit work. The dates of performance and review are recorded on the documents so reviewers of the documentation can tell when the work was performed.
∙ Audit marks and explanations. Audit marks (or “tick marks”) are the auditor’s shorthand for abbreviating comments about work performed. Audit marks always must
be accompanied by a full explanation of the auditing work. (Notice in Exhibit 3.9
the auditor’s confirmation of the disputed account payable liability.) On electronic
Chapter 3 Engagement Planning and Audit Evidence 111
EXHIBIT 3.9 Illustrative Audit Documentation
Company Name
Initials of auditors and dates of work
A-2
DUNDER-MIFFLIN INC.
BANK RECONCILIATION—FIRST NATIONAL BANK
General Account
(12/31/23)
Prepared
Reviewed
Index
number
F.D. 1 10 24
JRA 1 10 24
(Prepared by client)
506,100
Balance per bank statement
Add:
51,240
Deposit in transit as of 12/31/20
“Tick mark”
symbols
557,340
Deduct outstanding checks:
Date
--------11/30/23
11/31/23
12/15/23
12/28/23
12/30/23
12/30/23
12/30/23
12/30/23
Balance per book
No.
----842
1280
1372
1412
1417
1418
1419
1420
Payee
---------------------------500
Ace Supply Company
1,800
Ace Supply Company
30,760
Northwest Lumber Co.
7,270
Gibson & Johnson
20,000
First National payroll
2,820
Ace Supply Company
2,030
Windy City Utilities
8,160
Howard Hardware Supply
--------
73,340
-------484,000
-- -- -- -- -- -- -- -A-1
Note: Obtained cutoff bank statement 1 9 24
A-2-2
Footed.
Confirmed by bank standard back confirmation. A-2-1
Vouched to cutoff bank statement, deposit recorded by bank
on 1 3 24. Vouched to duplicate deposit slip validated 1 03 24.
Vouched to paid check cleared with cutoff bank statement.
Vouched to statement from attorneys. Amount agrees.
Amount in dispute per controller. Confirmation from supplier claims
liability of $5,000. See K-4 for recommended adjustment.
Arithmetic
footed
Cross-reference
to lead schedule
Cross-index to
other workpapers
Explanations of audit
work performed
documents, comments can be hyperlinked so that reviewers can find additional explanations of audit procedures performed.
Professional standards require that audit documentation, including workpapers and
other documents that form the basis of the engagement, be retained for a minimum of
five years following the conclusion of the engagement for nonpublic company clients
and seven years for public clients. Standards also stress that audit documentation to be
retained include those workpapers that document any discussions and subsequent resolution of differences in professional judgment among the audit team members. Standards
require that all documentation be finalized within 60 days of the audit report’s release
date for nonpublic companies and within 45 days for public companies. Although the
documentation requirements differ for public versus nonpublic clients, for simplicity,
most public accounting firms use the documentation requirements for public company
engagements for nonpublic clients as well.
112 Part Two The Financial Statement Audit
REVIEW CHECKPOINTS
3.18 What is the purpose of a planning memorandum?
3.19 What information would you expect to find in a permanent audit file?
3.20 What information would you expect to find in a current audit file?
3.21 What are the documentation retention requirements for nonpublic and public clients?
Summary
This chapter contains a description of the specific set of planning activities that auditors
undertake when completing an engagement. Pre-engagement activities start with the
work of deciding whether to accept a new client and, on an annual basis, whether to
continue the engagement for existing clients. Public accounting firms are not obligated
to provide audit services to every company or organization that requests them, and they
regularly exercise discretion when deciding which they choose to undertake. For audit
engagements, the investigation may involve the cooperative task of communicating with
the organization’s former (predecessor) auditors. In addition, firms need to make sure
that they are in compliance with both independence and ethical requirements before
deciding whether to accept a new client or continue with an existing client.
The audit plan is a comprehensive list of the specific audit procedures that the audit
team needs to perform to gather sufficient appropriate evidence on which to base its
opinion on the financial statements. Although risk assessment (discussed in Chapter 4)
provides the basis to determine the nature, timing, and extent of procedures to be performed at an audit client, many other aspects of audit planning are also discussed in this
chapter. Other planning issues include properly staffing the audit, including using IT
auditors, considering the work of audit specialists and using the work of internal auditors,
and creating the time budget.
Because financial statement measurements and footnote disclosure information are
not flawlessly accurate, auditors need to ultimately ensure that the financial statements
are materially accurate and do not contain material misstatements. Information is material if
it is likely to influence financial statement users’ decisions. As a result, the engagement
team needs to think carefully about the appropriate level of materiality during the planning process. The auditor will then use this materiality as a guide to (1) plan and execute
substantive testing procedures, (2) evaluate audit evidence, and (3) make final decisions
about the auditor’s report.
Auditors then use a variety of procedures to gather evidence about management’s assertions
related to the amounts and disclosures in a client’s financial statements. In general, auditors
use eight different types of audit procedures to gather evidence: (1) inspection of records and
documents (vouching, tracing, scanning), (2) inspection of tangible assets, (3) observation,
(4) inquiry, (5) confirmation, (6) recalculation, (7) reperformance, and (8) analytical procedures. One or more of these procedures may be used no matter what account balance, control
procedure, class of transactions, or other information is under audit. Auditors must consider
a number of factors when planning based on the audit client’s computing environment. And
of course, the selection of procedures to be completed must always be tailored to the exacting
nuances of the client’s computing environment. Finally, CAATs can improve both engagement effectiveness and efficiency and are used by auditors on most engagements.
The closing topic in this chapter is a brief overview of audit documentation with some
basic pointers about their form, content, and overall purpose. At this stage in the audit
process, we have accepted (or retained) the client, considered the types of audit procedures that might be performed to gather evidence, and thought about the impact of a client’s
technological environment. The next step in the audit process is the assessment of inherent risk in both the financial statement account balances and footnote disclosures, which
serves as the focus of the next chapter.
Chapter 3 Engagement Planning and Audit Evidence 113
Key Terms
analytical procedures: Procedures that allow auditors to evaluate financial information by
studying relationships among both financial and nonfinancial data. When used near the end of the
audit, analytical procedures allow auditors to assess the conclusions reached during the audit and
evaluate the overall financial statement presentation, 106
audit documentation: The written basis for the auditor’s conclusions that provides the necessary
support for the auditor’s assertions and representations made in the auditor’s report, 107
audit engagement partner: The person with the final responsibility for the audit, usually an
industry specialist, 90
audit plan: A comprehensive list of the specific audit procedures that the audit team needs to
perform to gather sufficient appropriate evidence on which to base their opinion on the financial
statements, 89
continuing audit files (or permanent files): The audit documentation containing information of
continuing audit significance for current and past audits of the same client, 108
engagement letter: This letter sets forth the understanding with the client, including in particular
(1) the objectives of the engagement, (2) management’s responsibilities, (3) the auditors’
responsibilities, and (4) any limitations of the engagement, 87
Form 8-K: The “current events” report filed periodically at the occurrence of major events, such
as earnings releases, major asset sales, acquisitions, and auditor changes, 85
independence in appearance: The extent to which others (particularly financial statement users)
perceive auditors to be independent, 87
independence in fact: Auditors’ mental attitude and impartiality with respect to the client, 87
interim audit work: The procedures performed several weeks or months before the
balance-sheet date, 94
internal control audit plan: A plan that would contain a list of the specific procedures needed
to obtain an understanding of the client’s internal control system and test that understanding for
those controls that relate to the relevant financial statement assertions, 100
lead schedule: A summary of the accounts in or components of an account group, 109
materiality: An amount or event that has a substantial likelihood to influence financial statement
users’ decisions. Thus, material information is a synonym for important information. The
emphasis is on the financial statement users’ point of view, not on the auditors’ or managers’
points of view, 95
planning memorandum: The document summarizing the preliminary analytical procedures and
the materiality assessment with specific directions about the effect on the audit, 108
predecessor auditor: The public accounting firm that has been terminated or has voluntarily
withdrawn from an audit engagement (whether the audit has been completed or not), 84
quality assurance partner: The second audit partner on the audit team as required for audits of
financial statements filed with the SEC who reviews the audit team’s work in critical audit areas
(those areas with the highest potential audit risk), 90
specialists: The persons skilled in fields other than accounting and auditing—actuaries, appraisers,
attorneys, engineers, and geologists—who are not members of the public accounting firm, 93
substantive audit plan: Document that contains a list of audit procedures for gathering evidence
related to the relevant assertions identified for the significant financial statement accounts and
disclosures on an audit client, 100
termination letter: The documentation provided to former clients dealing with the subject of future
services, in particular (1) access to audit documentation by new auditors, (2) reissuance of
the auditors’ report when required for SEC reporting or comparative financial reporting, and
(3) fee arrangements for such future services. The termination letter also can contain a report
of the auditor’s understanding of the circumstances of termination (e.g., disagreements about
accounting principles and audit procedures, fees, or other conflicts), 88
tracing: An audit procedure in which the auditor selects a basic source document and
follows its processing path forward to find its final recording in a summary journal or
ledger. In practice, however, the term tracing may be used to describe following the
path in either direction, 103
vouching: An audit procedure in which an auditor selects an item of financial information,
usually from a journal or ledger, and follows its path back through the processing steps to its
origin (i.e., the source documentation that supports the item selected), 103
year-end audit work: The procedures performed shortly before and after the balance-sheet
date, 94
114 Part Two The Financial Statement Audit
Multiple-Choice
Questions for
Practice and
Review
LO 3-1
LO 3-2
All applicable questions are available
with Connect.
3.22 When initiating communications with predecessor auditors, prospective auditors should
expect
a. To take responsibility for obtaining the client’s consent for the predecessor to give information about prior audits.
b. To conduct interviews with the partner and manager in charge of the predecessor public
accounting firm’s engagement.
c. To obtain copies of some or all of the predecessor auditors’ audit documentation.
d. All of the above.
3.23 Generally accepted auditing standards require that auditors always prepare and use
a. A written planning memorandum explaining the auditors’ understanding of the client’s
business.
b. A written client consent to discuss audit matters with prospective auditors.
c. A written audit plan.
d. The written time budgets and schedules for performing each audit.
LO 3-2
3.24 When planning an audit, which of the following is not a factor that affects auditors’ decisions about the quantity, type, and content of audit documentation?
a. The auditors’ need to document compliance with generally accepted auditing standards.
b. The auditors’ need to verify the existence of new sales contracts important for the client’s business.
c. The auditors’ judgment about their independence with regard to the client.
d. The auditors’ judgments about materiality.
LO 3-5
3.25 Audit documentation that shows the detailed evidence and procedures regarding the balance
in the accumulated depreciation account for the year under audit will be found in the
a. Current file audit documentation.
b. Permanent file audit documentation.
c. Administrative audit documentation in the current file.
d. Planning memorandum in the current file.
LO 3-5
3.26 An auditor’s permanent file audit documentation most likely will contain
a. Internal control analysis for the current year.
b. The most recent engagement letter.
c. Memoranda of conference with management.
d. Excerpts of the corporate charter and bylaws.
LO 3-3
3.27 Which of the following is not a benefit claimed for the practice of determining materiality in
the initial planning stage of an audit?
a. Being able to fine-tune the audit work for effectiveness and efficiency.
b. Avoiding the problem of doing more work than necessary (overauditing).
c. Being able to decide early what type of audit opinion to issue.
d. Avoiding the problem of doing too little work (underauditing).
LO 3-4
3.28 Which of the following is an advantage of computer-assisted audit techniques (CAATs)?
a. All the CAATs programs are written in one computer language.
b. The software can be used for audits of clients that use differing computer equipment and
file formats.
c. The use of CAATs has reduced the need for the auditor to study input controls for computer-related procedures.
d. The use of CAATs can be substituted for a relatively large part of the required testing.
Chapter 3 Engagement Planning and Audit Evidence 115
LO 3-2
3.29 An audit engagement letter should normally include which of the following matters of
agreement between the auditor and the client?
a. Schedules and analyses to be prepared by the client’s employees.
b. Methods of statistical sampling the auditor will use.
c. Specification of litigation in progress against the client.
d. Client representations about availability of all minutes of meetings of the board of
directors.
LO 3-2
3.30 When auditing Vandalay Jewelry, Costanza, CPA, was not familiar with the quality and cut
of the company’s precious jewel inventory. To address this shortcoming, Costanza hired
Benes, an expert in jewel valuation, to assist as an audit specialist for the inventory valuation. Should Costanza refer to Benes’s work in the audit report?
a. Yes, the auditors’ report should mention the fact that an audit specialist was used.
b. The auditors’ report should mention the use of the audit specialist only when the audit
specialist’s findings affect the auditors’ conclusions.
c. The use of an audit specialist need not be mentioned if the auditors decide not to take
responsibility for the audit specialist’s findings.
d. The auditors’ report should mention the audit specialist only if Vandalay agrees with the
audit specialist’s findings.
LO 3-2
3.31 Which of the following engagement planning procedures would most likely assist the auditor in identifying related-party transactions before the balance-sheet date?
a. Interviewing internal auditors about their reporting responsibilities.
b. Reviewing accounting records for recurring transactions occurring near year-end.
c. Inspecting communications with the client’s legal counsel regarding recorded contingent liabilities.
d. Scanning the minutes for significant transactions with members of the board of directors.
LO 3-2
3.32 Which of the following communications is most likely to be written before the balancesheet date?
a. A report to the audit committee on the results of testing of internal control over cash
receipts.
b. Confirmation letters to vendors confirming the amounts they owe to the client.
c. An attorney’s letter regarding contingent liabilities.
d. An engagement letter.
LO 3-2
3.33 Which of the following procedures would most likely be performed during planning?
a. Surprise counting of the client’s petty cash fund.
b. Reporting internal control deficiencies to the audit committee.
c. Performing a search for unrecorded liabilities.
d. Identifying related parties.
LO 3-1
3.34 Prior to accepting a new audit engagement, a public accounting firm should
a. Attempt to contact the predecessor auditors.
b. Evaluate the integrity of management.
c. Assess the firm’s resources to ensure that they are sufficient to permit the firm to accept
the engagement.
d. All of the above.
LO 3-2
3.35 An audit plan contains
a. Specifications of audit standards relevant to the financial statements being audited.
b. Specifications of procedures the auditors believe appropriate for the financial statements
under audit.
c. Documentation of the assertions under audit, the evidence obtained, and the conclusions
reached.
d. Reconciliation of the account balances in the financial statements with the account balances in the client’s general ledger.
116 Part Two The Financial Statement Audit
LO 3-4
3.36 The revenue cycle of a company generally includes which accounts?
a. Inventory, accounts payable, and general expenses.
b. Inventory, general expenses, and payroll.
c. Cash, accounts receivable, and sales.
d. Cash, notes payable, and capital stock.
LO 3-4
3.37 When auditing the existence assertion for an asset, auditors proceed from the
a. Financial statement amounts back to the potentially unrecorded items.
b. Potentially unrecorded items forward to the financial statement amounts.
c. General ledger back to the supporting original transaction documents.
d. Supporting original transaction documents to the general ledger.
LO 3-4
3.38 Confirmations of accounts receivable provide evidence primarily about which two
assertions?
a. Completeness and valuation.
b. Valuation and rights and obligations.
c. Existence and rights and obligations.
d. Existence and completeness.
LO 3-3
3.39 With respect to the concept of materiality, which of the following statements is correct?
a. Materiality depends only on the dollar amount of an item relative to other items in the
financial statements.
b. Materiality depends on the nature of a transaction rather than the dollar amount of the
transaction.
c. Materiality is determined by reference to AICPA guidelines.
d. Materiality is a matter of professional judgment.
LO 3-4
3.40 When evaluating whether accounting estimates made by management are reasonable, the
audit team would be most concerned about which of the following?
a. Key factors that are consistent with prior periods.
b. Assumptions that are similar to industry guidelines.
c. Measurements that are objective and not susceptible to bias.
d. Evidence of a conservative systematic bias.
LO 3-4
3.41 Which of the following would be considered an analytical procedure?
a. Testing purchasing, shipping, and receiving cutoff activities.
b. Comparing inventory balances to recent sales activities.
c. Projecting the deviation rate of a statistical sample to the population.
d. Reconciling physical counts to perpetual records and general ledger balances.
(AICPA adapted)
LO 3-2
3.42 Which of the following procedures would a CPA most likely perform in planning a financial
statement audit?
a. Make inquiries of the client’s lawyer concerning pending litigation.
b. Perform cutoff tests of cash receipts and disbursements.
c. Compare financial information with nonfinancial operating data.
d. Recalculate the prior-years’ accruals and deferrals.
(AICPA adapted)
LO 3-4
3.43 Which of the following statements is correct concerning analytical procedures used in planning an audit engagement?
a. They often replace the tests of controls that are performed to assess control risk.
b. They typically use financial and nonfinancial data aggregated at a high level.
c. They usually involve the comparison of assertions developed by management to ratios
calculated by an auditor.
d. They are often used to develop an auditor’s preliminary judgment about materiality.
(AICPA adapted)
Chapter 3 Engagement Planning and Audit Evidence 117
LO 3-2
3.44 The company being audited has an internal auditor who is both competent and objective.
The independent auditor wants to assign tasks for the internal auditor to perform. Under
these circumstances, the independent auditor may
a. Allow the internal auditor to perform certain tests of internal controls.
b. Allow the internal auditor to audit a major subsidiary of the company.
c. Not assign any task to the internal auditor because of the internal auditor’s lack of
independence.
d. Allow the internal auditor to perform analytical procedures but not be involved with any
tests of details.
(AICPA adapted)
LO 3-1
3.45 Which of the following conditions most likely would pose the greatest risk in accepting a
new audit engagement?
a. Staff will need to be rescheduled to cover this new client.
b. There will be a client-imposed scope limitation.
c. The firm will have to hire a specialist in one audit area.
d. The client’s financial reporting system has been in place for 10 years.
(AICPA adapted)
Exercises and
Problems
LO 3-4
All applicable Exercises and Problems are available
with Connect.
3.46
General Audit Procedures and Financial Statement Assertions. The eight general
audit procedures produce evidence about the principal management assertions in financial
statements. However, some procedures are useful for producing evidence about certain
assertions, and other procedures are useful for producing evidence about other assertions.
The assertion being audited can influence the auditors’ choice of procedures.
Required:
Opposite each general audit procedure, write the management assertions best tested by using
each procedure.
Audit Procedures
PCAOB Assertions
ASB Assertions
a. Inspection of records or documents (vouching)
b. Inspection of records or documents (tracing)
c. Inspection of records or documents (scanning)
d. Inspection of tangible assets
e. Observation
f. Confirmation
g. Inquiry
h. Recalculation
i. Reperformance
j. Analytical procedures
LO 3-4
3.47
LO 3-4
3.48 Confirmation Procedure. A CPA accumulates various types of evidence on which to
base the opinion on financial statements. Among this evidence is confirmations from third
parties.
Audit Procedures. Auditors use different types of audit procedures to gather the evidence
necessary to conclude that the risk of material misstatement for each relevant assertion has
been reduced to an acceptably low level. List eight different types of procedures auditors
can use during an audit of financial statements and give an example of each.
118 Part Two The Financial Statement Audit
Required:
a. What is an audit confirmation?
b. What characteristics of the confirmation process and the recipient are important if a CPA
is to consider the confirmation evidence appropriate?
LO 3-4
3.49 Potential Audit Procedure Failures. For each of the general audit procedures of (a) recalculation, (b) observation, (c) confirmation (accounts receivable, securities, or other assets),
(d) inquiry, (e) inspection of internal documents, (f) recalculation, (g) reperformance, and
(h) analytical procedures, discuss one way the procedure could be misapplied or the auditors
could be misled in such a way as to render the work (audit evidence) misleading or irrelevant. Give examples that are different from the examples in the chapter.
LO 3-5
3.50 Audit Documentation. The preparation of audit documentation is an integral part of an
auditor’s examination of financial statements. On a recurring engagement, auditors review
the audit plans and audit documentation from the prior audit while planning the current audit
to determine their usefulness for the current-year work.
Required:
a.(1) What are the purposes or functions of audit documentation?
(2) What records may be included in audit documentation?
b. What factors affect the auditors’ judgment of the type and content of the audit documentation for a particular engagement?
c. What should be included in audit documentation to support auditors’ compliance with
generally accepted auditing standards?
d. How can auditors make the most effective use of the prior-year audit plans in a recurring audit?
(AICPA adapted)
LO 3-1
3.51 Communications between Predecessor and Successor Auditors. Assume that Smith &
Smith, CPAs, audited Apollo Shoes Inc., last year. Now CEO Larry Lancaster wishes to
engage Anderson, Olds, and Watershed, CPAs (AOW) to audit its annual financial statements. Lancaster is generally pleased with the services provided by Smith & Smith, but
he thinks the audit work was too detailed and interfered excessively with normal office
routines. AOW has asked Lancaster to inform Smith & Smith of the decision to change
auditors, but he does not wish to do so.
Required:
List and discuss the steps AOW should follow with regard to dealing with a predecessor
auditor and a new client before accepting the engagement.
LO 3-1
3.52 Predecessor and Successor Auditors. The president of Allpurpose Loan Company had a
genuine dislike for external auditors. Almost any conflict generated a towering rage. Consequently, the company changed auditors often.
The firm of Wells & Ratley (W&R), CPAs, was recently hired to audit the 2023 financial
statements. W&R succeeded the firm of Canby & Company (C&C), which had obtained
the audit after Albrecht & Hubbard (A&H) had been fired. A&H audited the 2022 financial
statements and rendered a report that contained an additional paragraph explaining an uncertainty about Allpurpose Loan Company’s loan loss reserve. Goodbye A&H! The president
then hired C&C to audit the 2023 financial statements, and Chris Canby started the work,
but before the audit could be completed, Canby was fired and W&R was hired to complete
the audit. C&C did not issue an audit report because the audit was not finished.
Required:
Does the Wells & Ratley firm need to initiate communications with Canby & Company?
With Albrecht & Hubbard? With both? Explain your response in terms of the purposes of
communications between predecessor and successor auditors.
LO 3-1
3.53 Client Selection. You are a CPA in a regional public accounting firm that has 10 offices in
three states. Mr. Shine has approached you with a request for an audit. He is president of
Hitech Software and Games Inc., a five-year-old company that has recently grown to $500
million in sales and $200 million in total assets. Shine is thinking about going public with
a $25 million issue of common stock, of which $10 million would be a secondary issue of
shares he holds. You are very happy about this opportunity because you know Shine is the
Chapter 3 Engagement Planning and Audit Evidence 119
new president of the Symphony Society board and has made quite a civic impression since
he came to your medium-size city seven years ago. Hitech is one of the growing employers
in the city.
Required:
a. Discuss the sources of information and the types of inquiries that you and the firm’s partners may make in connection with accepting Hitech as a new client.
b. Do professional audit standards require any investigation of prospective clients?
c. Suppose Shine also told you that 10 years ago his closely held hamburger franchise business went bankrupt, and on investigation, you learn from its former auditors (your own
firm in another city) that Shine was fraudulent in its application of franchise-fee income
recognition rules and presented such difficulties that your firm resigned from the audit
(before the bankruptcy). Do you think the partner in charge of the audit practice should
accept Hitech as a new client?
LO 3-2
3.54 Using the Work of Internal Auditors. North, CPA, is planning an independent audit of the
financial statements of General Company. In determining the nature, timing, and extent of
the audit procedures, North is considering General’s internal audit function, which is staffed
by Tyler.
Required:
a. In what ways can the internal auditor’s work be relevant to North, the independent
auditor?
b. What factors should North consider, and what inquiries should North make in deciding
whether to use Tyler’s internal audit work?
(AICPA adapted)
LO 3-4
3.55 Using the Computer to Discover Intentional Financial Misstatements in Transactions
and Account Balances. AMI International is a large office products company. Headquarters
management imposed pressure on operating division managers to meet profit forecasts. The
division managers met these profit goals using several accounting manipulations involving
the record-keeping system that maintained all transactions and account balances on computer files. Employees who operated the computer accounting system were aware of the
modifications of policy the managers ordered to accomplish the financial statement manipulations. The management and employees carried out these activities:
1. Deferred inventory write-downs for obsolete and damaged goods.
2. Kept open the sales entry system after the quarterly and annual cutoff dates, recording
sales of goods shipped after the cutoff dates.
3. Recorded leases of office equipment as sales transactions.
4. Recorded shipments to branch offices as sales.
5. Postponed recording vendors’ invoices for parts and services until later, but the actual
invoice date was faithfully entered according to accounting policy.
Required:
Describe one or more procedures that could be performed with CAATs to detect signs of
each of these transaction manipulations. Limit your answer to the actual work accomplished
by the computer software.
LO 3-4
3.56 Inspection of Documents and Records. A large portion of audit evidence is gathered
through inspection of documents and records. External documents, documents that are generated outside of the organization, provide more reliable evidence than documents generated
and maintained at the client.
Required:
a. For each of the documents below, indicate if the document is a strictly external document
(obtained from an external party), an external-internal document (generated outside of
the organization but given to the auditor by the client), or an internal document (generated and maintained by client).
1. Receiving report.
2. Customer purchase order.
120 Part Two The Financial Statement Audit
3. Bank statements received directly from the bank.
4. Copies of sales invoices.
5. Utility bill.
6. Departmental budget.
7. Insurance policy.
8. Remittance advice.
b. Why are external documents considered more reliable evidence than internal documents?
What aspects of internal documents would help to increase their reliability?
LO 3-5
3.57 Audit Documentation -Permanent or Current Year Files. Audit documentation can be
classified in two categories: (1) permanent files (which contain information that is relevant
for many years’ audits for the client) and (2) current files (which contain information that is
relevant to supporting the current year’s audit).
Required:
For each of the documents listed below, indicate whether they would appear in the permanent or current year files.
1.
2.
3.
4.
5.
6.
7.
LO 3-1
Audit planning memorandum
Client organizational chart
Prior-years’ financial statements and audit reports
Engagement letter
Bank confirmations
Schedule for current-year depreciation calculation
Royalty agreements
3.58 Pre-engagement activities. Client acceptance policies and procedures generally include
obtaining and reviewing financial information from prospective clients.
Required:
Your firm is considering accepting Apple Inc. as a new audit client. You are helping to perform client acceptance procedures by reviewing prior financial information. Go to the sec.
gov website and search for Apple Inc.’s most recent 10-K filing. Read through the Item 1,
Business, and Item 1A, Risk Factors, sections. What characteristics are red flags for potential problems? What characteristics would make Apple a desirable client?
LO 3-3
3.59 Materiality calculations. Materiality is ultimately a matter of professional judgment. However, during the planning process auditors make a calculation of preliminary materiality
based on a benchmark or rule of thumb.
Required:
FastFix is an online retail company that sells a variety of products including groceries, clothing, toys, and home decor and promises delivery within 5 days. The table below has select
financial data from 2022, 2023, and 2024. Using this information, calculate overall preliminary materiality using the following rules of thumb:
∙ 5% of profit before tax
∙ 1/2% of revenues
∙ 1% of total assets
FastFix Select Financial Data (in millions)
Net revenues
Profit before taxes
Total assets
2022
2023
2024
121,776
160,223
285,052
1,682
3,548
12,754
98,325
101,524
157,221
Which of these do you think is most appropriate to use for FastFix for 2022, 2023, and
2024, and why?
Chapter 3 Engagement Planning and Audit Evidence 121
LO 3-2
3.60
Time budget. Miguel is a first year staff at Anderson, Olds, and Watershed, CPAS. He has
been working on the accounts receivable substantive testing at FastFix, which has an audit
time budget of five hours. Through no fault of his own, the accounts receivable testing has
been much more difficult than anticipated. It has taken Miguel eight hours to complete his
testing. Miguel is considering “eating time” and indicating the testing has only taken five
hours on his time sheet.
Required:
a. What are the purposes for reporting time?
b. What are the pros and cons of Miguel reporting five hours to complete the work, versus
the eight hours it actually has taken? What would you do if you were Miguel?
Apollo Shoes
Audit Planning Part Two
You are a recently promoted senior (in charge) auditor for Anderson, Olds, and Watershed
and have been assigned to the engagement team of a new client, Apollo Shoes Inc. You
have been asked to begin the planning process for the audit. This includes making decisions
about the use of audit resources and further familiarizing yourself with the engagement
and the client. Detailed instructions regarding the information needed, as well as other
procedures you need to perform in this planning phase of the audit, can be found in
Connect.
CHAPTER 4
The Audit Risk Model
and Inherent Risk
Assessment
Don’t be fearful of risks. Understand them, and manage and minimize them to an acceptable level.
Navid Abdali
Professional Standards References
AU-C/ISA
Section
AS Section
Consideration of Fraud in a Financial Statement Audit
240
2401
Consideration of Laws and Regulations
250
2405
Communications with Audit Committees
260
1301
Audit Planning
300
2101
Identifying and Assessing the Risks of Material Misstatement
315
2110
Materiality
320
2105
Auditors’ Responses to Risks of Material Misstatement
330
2301
Audit Evidence
500
1105
Substantive Analytical Procedures
520
2305
Related Parties
550
2410
Topic
LEARNING OBJECTIVES
The professional standards emphasize the
importance of an auditor’s identification and
assessment of the risks of material misstatement
that exist related to an audit client. Once each of the
risks is identified and assessed, the auditor needs to
plan an appropriate response. Given the importance
122
of risk assessment, it is not surprising that the
professional standards state that the risk assessment
process underlies the entire audit process. In
Chapter 3, we covered the engagement planning
process, beginning with pre-engagement activities,
supervision, and materiality. In this chapter, we
provide comprehensive coverage of an auditor’s risk
assessment and its impact on the audit process.
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 123
Your objectives are to be able to
LO 4-1
Define audit risk and describe how it can
be broken down into the three separate
components of the audit risk model to help
assess and respond to such risks during the
audit planning process.
LO 4-2
Explain auditors’ responsibility for fraud
risk assessment and define and explain
the differences among several types of
fraud and errors that might occur in an
organization.
LO 4-3
Explain auditors’ responsibility to assess
inherent risk, including a description of
the type of risk assessment procedures
that should be performed when assessing
inherent risk on an audit engagement.
LO 4-4
Understand the different sources of
information and the audit procedures used
by auditors when assessing risks, including
analytical procedures, brainstorming, and
inquiries.
LO 4-5
Explain how auditors complete and
document the overall assessment of
inherent risk and the special considerations
given to fraud risks and noncompliance with
laws and regulations.
LO 4-6
Describe the content and purpose of an
audit strategy memorandum.
INTRODUCTION
When the COVID-19 pandemic hit in March 2020, many businesses faced uncertainty:
some wondering when they would see a return of customers, when employees would
return to the office, and how they would survive for the unknown length of time until
things returned to some form of normalcy. These uncertainties made the auditor’s job
more challenging too, in particular the job of identifying and assessing risks.
Risk assessment is the foundation of the audit process. It is the auditor’s assessment of risk
that should drive what audit procedures to perform in order for the auditor to obtain reasonable
assurance that financial statements are free from material misstatement. COVID-19 brought
about new or different risks to companies, including risks related to liquidity and debt compliance, the ability to continue as a going concern, cybersecurity risks related to remote working,
risks related to business interruption, and even a potential increase in risk due to fraud.1
For the 2020 and 2021 audits in particular, auditors had to consider how those COVID19-related business risks impacted their assessment of risk of material misstatement and
then develop an appropriate response with audit procedures that would limit the risk of
audit failure. What made this all the more difficult was that auditors had to re-envision
their approach to performing the audit procedures. Limitations on travel, the lack of the
ability to be “on-site” at the client, and the lack of in-person interactions with both clients
and audit team members that were a side effect of COVID-19 meant the auditors had to
consider new and/or alternative methods for performing audit procedures.2
This chapter focuses on the risk assessment phase of the audit, specifically discussing typical procedures and information auditors use to help identify and assess risks. As
highlighted in Exhibit 4.1 below, risk assessment is critical in order to properly plan and
perform the appropriate substantive procedures to continue the audit.
AUDIT RISK
LO 4-1
Define audit risk and
describe how it can be
broken down into the three
separate components of
the audit risk model to
help assess and respond to
such risks during the audit
planning process.
Audit Risk
Audit risk is the probability that an audit team will express an inappropriate audit opinion
when the financial statements are materially misstated (i.e., give an unmodified opinion
on financial statements that are misleading because of material misstatements that the
auditors failed to discover). Such a risk always exists, even when audits are well planned
1
2
A CAQ COVID-19 Resource: Focus on the Auditor’s Risk Assessment, CAQ, June 2020.
COVID-19: Reminders for Audits Nearing Completion, PCAOB Staff Spotlight, 2020.
124 Part Two The Financial Statement Audit
EXHIBIT 4.1
STAGES OF AN AUDIT
Stages of an Audit:
Risk Assessment
Obtain
(or Retain)
Engagement
Engagement
Planning
Risk
Assessment
Substantive
Procedures
Reporting
and carefully performed. Of course, the risk is much higher in poorly planned and carelessly performed audits. The auditing profession has no official standard for an acceptable
level of overall audit risk except that it should be “appropriately” low. In practice, audit
risk is evaluated at both the overall financial statement level (as a whole) and for each
significant account and disclosure through a focus on the relevant assertions identified.
A significant account or disclosure is an account or disclosure that has a reasonable possibility of containing a material misstatement regardless of the effect of internal controls.
A relevant assertion is a management assertion that has a reasonable possibility of containing a material misstatement without regard to the effect of internal controls. The concern an auditor has regarding any particular assertion depends on the significant account
that the auditor is testing (or to which the assertion relates). For example, an auditor may
deem the occurrence assertion to present more risk when testing revenue than the completeness assertion presents. Most companies want to report a healthy stream of revenue,
so it is unlikely that they will omit sales that would violate the completeness assertion.
It is more likely that a company reports sales that did not occur to present more revenue,
which would violate the occurrence assertion.
To help better understand and ultimately mitigate audit risk, the professional standards
break down overall audit risk (see Exhibit 4.2) into the risks (1) that a material misstatement will even occur (inherent risk), (2) that it would not be prevented or detected
by client internal controls (control risk), and (3) that it is not detected by the auditor’s
own procedures (detection risk). Because inherent risk and control risk are related to the
company and its overall environment, these two components are combined into the risk of
material misstatement (RMM), which is the risk a material misstatement exists in the financial statements before auditors apply their own procedures. Each of these components is
now discussed in detail.
EXHIBIT 4.2
Inherent, Control,
and Detection Risk
Internal Controls
Events,
Transactions
INHERENT RISK
The likelihood that an
error or fraud will enter
the accounting
information system
Accounting
Information
System
CONTROL RISK
The likelihood that an
error or fraud will not be
prevented or detected
by the client’s internal
controls
RISK OF MATERIAL MISSTATEMENT
Audit
Procedures
DETECTION RISK
The likelihood that an
error or fraud will not be
caught by the auditor’s
procedures
Financial
Statements
AUDIT RISK
The likelihood that an
error or fraud will occur
and not be caught by
either internal controls
or auditor’s procedures
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 125
Inherent Risk
Inherent risk is the probability that, in the absence of internal controls, material errors or
frauds could enter the accounting system used to develop financial statements. You can think
of inherent risk as the susceptibility of the account to misstatement. Inherent risk is a
function of the nature of the client’s business and strategy to achieve competitive advantage,
the major types of transactions, and the effectiveness and integrity of its managers and
accountants. It is important to understand that for different accounts, various assertions
are riskier than others. For cash, existence is riskier than completeness because it is more
likely that a client would try to include more cash than it really had on its balance sheet
rather than less; and for accounts payable, completeness is riskier than existence because
it is more likely that a client would try to understate what it really owed rather than overstate the amount. As a result, auditors focus their attention on relevant assertions. Finally,
it is important for students to remember that auditors do not create or control inherent
risk. They can only try to assess its magnitude in an appropriate manner. This will be
discussed in more detail later in the chapter.
Control Risk
Control risk is the probability that the client’s internal control activities will fail to prevent
or detect material misstatements provided that such misstatements enter or would have
entered the accounting system in the first place. So, for misstatements that could occur,
what is the audit client doing about such occurrences? Does it have the proper systems,
processes, and controls in place to either prevent or detect misstatements? Recall from
our discussion of auditing standards in Chapter 2 that one of the major purposes of an
internal control system is to ensure appropriate processing and recording of transactions
for the production of reliable financial statements. Similar to inherent risk, auditors do
not create or manage control risk. They can only evaluate an entity’s internal control system and assess its magnitude in an appropriate manner.
External auditors’ task of control risk assessment begins with learning about an
entity’s internal controls that are designed to prevent and detect material misstatements
related to each relevant assertion for each significant account and disclosure. The auditors then perform tests of controls if appropriate to determine whether they are operating
effectively. This process is discussed in detail in Chapter 5.
Detection Risk
Detection risk is the probability that the auditor’s own procedures will fail to detect material
misstatements provided that any have entered the accounting system in the first place
and have not been prevented or detected and corrected by the client’s internal controls.
In contrast to inherent risk and control risk, auditors are responsible for performing the
evidence-gathering procedures that manage and establish detection risk. These audit procedures represent the auditors’ opportunity to detect material misstatements that may
exist in the financial statements. In other words, unlike inherent risk and control risk,
auditors can and do influence the level of detection risk.
In Chapter 3, you learned about substantive procedures, the procedures used to detect
material misstatements that may exist in the significant account balances and disclosures
presented in the financial statements and footnotes. The two categories of substantive
procedures are (1) tests of details of transactions and balances, which provide specific
evidence directly supporting assertions; and (2) substantive analytical procedures, which
study plausible relationships among financial and nonfinancial data. Auditors are able to
reduce detection risk by completing more and stronger substantive tests. Generally speaking, in response to a higher assessed risk of material misstatement for a relevant assertion
being audited, auditors must reduce detection risk to an appropriate level by planning
appropriate substantive procedures. This relationship is now further illustrated with a
discussion of the audit risk model.
126 Part Two The Financial Statement Audit
Audit Risk Model
The three components of audit risk can be expressed in a conceptual model that is
designed to help auditors understand how the assessment of each component affects the
overall audit risk being faced on the engagement. It is also important to point out that the
audit risk model assumes that each of the elements is independent. Thus, the risks can be
expressed in a model form as follows:
Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk (DR)
In practice, the model is used in the following way. Suppose an audit team was auditing
the valuation assertion related to inventory. The team would initially set the desired level of
AR to low. Auditors would then gather information and perform procedures to assess the
susceptibility of misstatement (IR) related to the valuation of inventory. Let’s say that there
is a high risk of misstatement, therefore IR is assessed at a high level. Auditors would also
evaluate whether the client has internal controls in place to help mitigate that risk. Assuming the client does not have very effective internal controls, auditors would then assess CR
at a moderate or high level. Thus, the overall RMM (IR X CR) would be high. The auditors
would then solve for the DR. In order to maintain an overall audit risk at a low level, the
DR would be low or very low. A low or very low DR means the auditors are taking very
low risk that their audit procedures will fail to detect a misstatement. Thus, the auditors
would need to design audit procedures that would provide more appropriate and sufficient
evidence that a misstatement does not exist related to the valuation of inventory. Given that
IR is high and that controls over the valuation of inventory are not effective, it makes sense
that the audit procedures would need to be more appropriate and sufficient in order to keep
the overall AR low. Exhibit 4.3 illustrates the process described in the example.
Notice that the assessment of inherent risk (IR) and control risk (CR) led to a determination of detection risk (DR). As a result, detection risk depends on and is planned for
based on the assessment of the other risk factors. DR is calculated and derived from the
others by solving the risk model equation. It is not an independent judgment. Hence,
DR = AR/(IR × CR)
Exhibit 4.4 provides a visual display of the steps in the audit risk process.
EXHIBIT 4.3
1
2
Set Desired
Level of
Audit Risk
Assess
Inherent Risk
[low]
[high]
EXHIBIT 4.4
3
4
Assess
Control Risk
Solve for
Detection Risk
[moderate
or high]
[low or
very low]
Risk of Material Misstatement (RMM)
Audit Risk Model
set
assess
assess
calculate
AR=
IR×
CR×
DR
LOW or very
low
HIGH if
material
misstatement
is likely to
enter the
accounting
information
system
HIGH if
material
misstatement
is not likely to
be detected
by client’s
internal
controls
What is the
acceptable
level of
detection risk?
HIGH means
auditors could use
less effective
testing, and LOW
means auditors
need more
effective testing.
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 127
Based on the allowable or planned level of detection risk (which is always based on the
assessment of IR and CR), auditors modify the nature, the timing, and the extent of further
audit procedures. The nature of an audit procedure refers to the type of procedure (e.g.,
observation, recalculation, inquiry). When determining the nature of the audit procedure,
the auditor is considering what to do. When doing so, the auditor considers the overall effectiveness of different types of audit procedures in detecting misstatements. While inquiry of
management about whether accounts receivable listed on the balance sheet really exist is an
audit procedure, it would not be an effective one. A much more effective procedure would be
to confirm accounts receivable directly with the client’s customers.
Timing refers to when the audit procedures will be completed. To do so, the auditor typically considers whether to complete the procedures at an interim date or at the balance sheet
date. While confirmation of accounts receivable may be performed at an interim date, auditors are expressing an opinion on year-end balances. The closer the procedures are performed
to year-end (the balance sheet date), the more effective they are because there is less chance
of a material misstatement occurring between the interim confirmation date and year-end.
Finally, extent refers to the number of tests performed. Clearly, the larger the number
of accounts receivable confirmations that are mailed to customers, the greater the chance
of finding errors and fraud, and therefore, the lower the detection risk. Exhibit 4.5 summarizes the impact of detection risk on the nature, timing, and extent of audit procedures.
Note that there is an inverse relationship between RMM (i.e., inherent risk and control
risk) and detection risk. In other words, the greater the risk of material misstatement, the
lower the detection risk that auditors could allow in order to maintain the level of audit
risk with which they feel comfortable. This makes sense. If the relevant assertion is risky
or the related controls are poor, auditors would want to reduce detection risk by employing
more appropriate and sufficient substantive procedures to increase their effectiveness. On
the other hand, if the account is not risky and controls are strong, the auditor could employ
less appropriate and sufficient (and presumably less costly) substantive audit procedures.
Also note that, although the audit risk model implies a numerical calculation, the
example and discussion of how auditors use the audit risk model is in qualitative measures such as “low,” “moderate,” and “high.” In practice, firms use qualitative measures
of risk when using the audit risk model. Firms cannot know exact IR and CR, therefore
auditors cannot calculate the exact level of DR. The model represents more of a way to
think about audit risks than a way to calculate them.
The conceptual model does allow for some additional key insights, including these:
1. Auditors cannot estimate inherent risk to be none or zero and omit other evidencegathering procedures.
2. Auditors cannot place complete reliance on internal controls (that is, CR of none or
zero) to the exclusion of other audit procedures.
3. Auditors would not seem to exhibit due professional care if the level of audit risk was too high.
4. Although permissible, audit teams rarely choose to rely exclusively on evidence produced by substantive procedures. Even if they think that control risk is high, auditors
often perform some tests of controls to make sure the controls are in place.
Given that firms measure risks qualitatively, firms typically use a matrix approach similar
to the one shown in Exhibit 4.6. A matrix such as this relies on the relationships within the
audit risk model for determining detection risk. Auditors find the appropriate detection risk
by reading the cell at the intersection of the assessed levels of inherent risk and control risk.
EXHIBIT 4.5
The Impact of
Detection Risk
Allowed on the
Nature, Timing, and
Extent of Further
Audit Procedures
Lower Detection Risk Allowed
Higher Detection Risk Allowed
Nature
More effective tests
Less effective tests
Timing
Testing performed at year-end
Testing can be performed at interim
Extent
More tests
Fewer tests
128 Part Two The Financial Statement Audit
EXHIBIT 4.6
Control Risk (CR)
Matrix Approach to
Detection Risk (DR)
Determination
Inherent
Risk (IR)
Low
Moderate
High
Low
DR—High
DR—Moderate
to High
DR—Moderate
Moderate
DR—Moderate
to High
DR—Moderate
DR—Low to
Moderate
High
DR—Moderate
DR—Low to
Moderate
DR—Low
REVIEW CHECKPOINTS
4.1 Define audit risk.
4.2 What are the components of the risk of material misstatement (RMM)? What are the components of
the audit risk model?
4.3 How is the audit risk model used to plan the audit?
4.4 What is meant by the terms nature, timing, and extent of further audit procedures?
4.5 When detection risk is determined to be low, as shown in the lower right corner of Exhibit 4.6, what
impact does that have on planned substantive audit procedures, as opposed to when detection risk
is determined to be high, as shown in the upper left corner of Exhibit 4.6?
FRAUD RISK
LO 4-2
Explain auditors’
responsibility for fraud risk
assessment and define
and explain the differences
among several types of
fraud and errors that might
occur in an organization.
In the next section we will discuss the process auditors use to assess inherent risk. Prior
to assessing inherent risk, it is important to consider the risk of fraud and the role it plays
in the assessment of risk of material misstatement. Fraud is the act of knowingly making material misrepresentations of fact with the intent of inducing someone to believe the
falsehood and act on it and, thus, suffer a loss or damage. In our previous discussion of the
audit risk model, there is no specific mention of fraud risk. While fraud risk is not a stated
part of the audit risk model, fraud risk can never be ignored and impacts the risk of material misstatement (i.e., inherent risk and control risk) assessments. Auditors are required
to consider fraud risk on each audit engagement for each relevant assertion related to each
significant account and disclosure identified for an audit client. In effect, fraud risk is a
special case of risk of material misstatement related to those situations where management
intended to mislead the marketplace by issuing fraudulent financial statements.
When applying the audit risk model and assessing the risk of material misstatement,
the auditor must always remember that a misstatement in the financial statements may
be caused by an error or a fraud. What makes fraud different from errors is intent. Specifically, did a manager at the client intend to defraud? Or, was the misstatement simply
due to an error made by an employee? Because of the damage to the capital markets
caused by fraudsters who have intentionally misstated their financial statements, and the
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 129
difficulty of discovering misstatements that management is actively trying to hide, auditors
must give separate and careful attention to fraud risk on every audit engagement. The
following Auditing Insight identifies a number of infamous fraudsters.
AUDITING INSIGHT
When Upper Management Goes Bad
Perpetrator
(age at trial)
Company
Verdict
Punishment
Bernie Ebbers (63)
WorldCom
Found guilty on fraud and conspiracy
charges related to an $11 billion
accounting scandal.
Sentenced to 25 years in federal prison,
served 13 and was released due to health
issues in December 2019. Died February
2020.
Dennis
Kozlowski (59)
Tyco International
Found guilty of stealing $600 million
from the company.
Served a total of 6.5 years in a New York
state prison. Released in 2015.
Jeffrey Skilling (52)
Enron
Found guilty of securities fraud and
related charges.
Originally sentenced to 24 years in prison;
after many challenges to the punishment,
in 2013 the sentence was reduced to 14
years. Released in August 2018 after serving 11 years.
Sanjay Kumar (44)
Computer Associates
28 International Inc.
(CA)
Pleaded guilty to obstruction of justice
and securities fraud charges related to
CA’s $3.3 billion accounting scandal.
Fined $8 million, sentenced to 12 years in
prison, and ordered to pay $798.6 million
in restitution. Released in 2017 after serving nearly 10 years.
Bernie Madoff (71)
Madoff Investment
Securities
Pleaded guilty to securities fraud,
money laundering, filing false statements with the SEC, wire fraud, mail
fraud, and several other charges.
Sentenced to 150 years in prison. Died in
prison in April 2021.
Nathan Hardwick
IV (53)
LandCastle Title
Found guilty on 21 counts of wire fraud,
one count of conspiracy to commit wire
fraud, and one count of making false
statements to a federally insured financial institution.
Sentenced to 15 years in prison.
Elizabeth
Holmes (34)
Theranos
Settled fraud charges with the SEC.
Found guilty of fraud and conspiracy to
defraud investors.
Settled charges with the SEC for $500,000
and $18.9 million shares of stock. Awaiting sentencing in October 2022.
Billie McFarland (26)
Fyre Media (Fyre
Festival)
Pleaded guilty to wire fraud charges
related to Fyre Festival and to various
fraud charges from a separate ticketselling scheme.
Sentenced to 6 years in prison and
ordered to pay $26 million.
Jan Marselek (40)
Wirecard
Currently on the run. One of Interpol’s
most wanted for role in $2 billion fraud.
Jeffrey Hastings (62)
SAExploration
Pleaded guilty for conspiracy to commit
securities fraud and wire fraud.
Sentenced to 3 years in prison.
Sources: “Ebbers Is Sentenced to 25 Years for $11 Billion WorldCom Fraud,” The Wall Street Journal, July 14, 2005, p. A1; “Dennis Kozlowski, former Tyco CEO
who went to prison, back in M&A business,” South Florida SunSentinel, January 11, 2017, www.sun-sentinel.com; “Skilling Gets 24 Years in Prison,” The Wall Street
Journal, October 24, 2006, p. C1; “Ex-Enron CEO Skilling Has 10 Years Lopped off Sentence,” CNN.com, June 21, 2013, “Ex-leader of Computer Associates gets
12 year Sentence and Fine,” The New York Times, November 3, 2006, www.nytimes.com; “Sanjay Kumar, Former Software Executive, Released from Prison,” Newsday,
March 17, 2017, www.newsday.com; “Ponzi Schemer Bernie Madoff Dies in Prison at 82,” Associated Press, April 14, 2021, www.apnews.com; “Theranos’ Holmes to
be Sentenced in September for Fraud Conviction,” US News and World Report, January 12, 2022, www.usnews.com; “Theranos Founder Elizabeth Holmes Settles with
SEC in Alleged ‘elaborate, years-long fraud’,” Abcnews.go.com, March 15, 2018; “The Fyre Festival was a total disaster. Its founder is going to prison for wire fraud.”
The Washington Post, October 11, 2018, “Fyre Festival Organizer Billy McFarland Sentenced to 6 years on Fraud Charges,” NBC News, October 11, 2018, “Former
LandCastle Title CEO Nat Hardwick found guilty of embezzling $26 million,” Housingwire.com, February 13, 2019, “Former Enron CEO Jeff Skilling Released From
Prison,” Fortune, August 31, 2018; “Ex-Wirecard COO Fled to Belarus with Help from Austrian Officials - Bloomberg,” S&P Global Market Intelligence, January
26, 2021, www.spglobal.com. “Former SEAX CEO Pleads Guilty to Accounting Fraud Scheme,” Accounting Today, August 13, 2021, www.accountingtoday.com;
“SAExploration’s Ex-CEO Gets Three Years in Accounting Fraud Case,” Bloomberg Tax, November 15, 2021, news.bloombergtax.com.
130 Part Two The Financial Statement Audit
Given the damage that can occur to the capital markets as a result of fraud, auditors are
required by professional standards to hold a brainstorming session to consider the risk of
fraud in every audit engagement. The required brainstorming session will be discussed later
in the chapter in the context of gathering information for risk assessment. It is important for
students to recognize that the nature, timing, and extent of audit work should change as a
result of the auditor’s ultimate fraud risk assessment. In general, the lower the risk of material misstatement due to fraud, the less persuasive the audit evidence needs to be. It therefore follows that when fraud risk factors are identified, the auditor generally must obtain
more persuasive audit evidence. Most importantly, once fraud risk factors are identified, the
auditor should clearly identify the fraud risks and then design and perform procedures that
respond directly to fraud risks. The next several paragraphs provide some basic definitions
and examples of fraud and fraud risk factors to help further your understanding.
Fraud
Through both fraud and aggressive financial reporting, some companies have caused
financial statements to be misstated, usually by (1) overstating revenues and assets, (2)
understating expenses and liabilities, and (3) giving disclosures that are misstated or that
omit important information.3 Fraud that affects financial (or other) information and causes
financial statements to be materially misstated often arises from the perceived need to get
through a difficult period. The difficult period may be characterized by cash shortage,
increased competition, cost overruns, and similar events that cause financial difficulty.
Managers usually view these conditions as temporary, believing that getting a new loan,
selling stock, or otherwise buying time to recover can overcome them. In the meantime,
falsified financial statements are used to benefit the company. Generally, fraudulent financial
statements show financial performance and ratios that are more favorable than current
industry experience or than the company’s own history. Exhibit 4.7 illustrates three
categories of factors that might indicate increased risk of fraudulent financial reporting.
EXHIBIT 4.7 Fraud Risk Factors
Management’s Characteristics
and Influence
Industry
Conditions
Operating Characteristics and
Financial Stability
• Management has a motivation (bonus
compensation, stock options, etc.) to engage in
fraudulent reporting.
• Management decisions are dominated by an
individual or a small group.
• Management fails to display an appropriate attitude
about internal control and financial reporting.
• Managers’ attitudes are very aggressive toward
financial reporting.
• Managers place too much emphasis on earnings
projections.
• Management participates excessively in the
selection of accounting principles or the
determination of estimates.
• The company has a high turnover of senior
management.
• The company has a known history of violations.
• Managers and employees tend to be evasive when
responding to auditors’ inquiries.
• Managers engage in frequent disputes with auditors.
• Company profits lag those of its
industry.
• New requirements are passed
that could impair stability or
profitability.
• The company’s market is
saturated due to fierce
competition.
• The company’s industry is
declining.
• The company’s industry is
changing rapidly.
• A weak internal control environment
prevails.
• The company is not able to generate
sufficient cash flows to ensure that it
is a going concern.
• There is pressure to obtain capital.
• The company operates in a tax haven
jurisdiction.
• The company has many difficult
accounting measurement and
presentation issues.
• The company has significant transactions
or balances that contain estimates that
are difficult to audit.
• The company has significant and unusual
related-party transactions.
• Company accounting personnel are lax or
inexperienced in their duties.
3
An academic study (see M. Nelson, J. Elliott, and R. Tarpley, “How Are Earnings Managed? Examples from Auditors,” Accounting
Horizons, November 2002) examined more than 500 attempts to manage earnings that were detected by auditors. The majority
(more than 50 percent) of the attempts involved improper expense reductions, approximately 20 percent involved improper revenue increases, and the remainder involved business combinations and other accounting artifices.
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 131
A very common reason cited for falsifying financial statements is so a company can
meet its earnings projections either provided by management or set by financial analysts.
Simply stated, when a company fails to meet earnings projections, its stock price usually falls
and the managers of the company face great scrutiny. As a result, managers work very hard to
meet expectations set by analysts. In fact, sometimes a company’s performance will exactly
meet the earnings targets announced by management months earlier. To avoid the negative
outcomes that typically accompany a failure to meet expectations, managers sometimes
commit fraud. The accompanying Auditing Insight illustrates an example that occurred
at Bankrate.
AUDITING INSIGHT
Meeting Analyst Expectations at Bankrate
While reviewing the preliminary financial results for the second quarter of 2012, the chief financial officer, VP of finance, and director of
accounting at Bankrate Inc. concluded that their quarterly performance was going to fall dramatically short of analyst expectations. In
order to avoid possible repercussions from Wall Street, the managers
directed two different divisions to record additional revenue totaling
$800,000, without supporting documentation or analysis. Eventually,
the company’s auditors, Grant Thornton, discovered and flagged the
unsupported revenue. In July 2015, Bankrate restated its financial statements for the second quarter of 2012. In addition, in September 2015,
Bankrate was fined $15 million to settle the accounting fraud charges.
Sources: SEC Accounting and Auditing Enforcement Release No. 3683,
September 8, 2015. “Bankrate to Pay $15 Million to Settle Accounting Fraud
Charges,” Accounting Today, September 8, 2015.
While not as common, there are times when management may find it beneficial to
commit fraud by understating assets and revenues and overstating expenses and liabilities. This is likely to occur during times when profits are high and management wants
to put reserves in a “cookie jar”4 that can be used to increase profits in future years and
“smooth earnings” at the discretion of the management team. Understating profits also
can be desirable if the company is under scrutiny by governmental bodies, taxing authorities, labor unions, or competitors. Therefore, auditors must be aware of the potential for
fraudulent activity in both directions, depending on the relevant facts and circumstances.
When assessing the risk of fraud, auditors need to know about the red flags, those telltale
signs and indications that have accompanied many frauds that have occurred in the past.
Because of the double-entry bookkeeping system, fraudulent accounting entries always
affect at least two accounts and two places in financial statements. Because many frauds
involve improper recognition of assets, there is a theory of the “dangling debit,” which is
an asset amount that can be investigated and found to be false or questionable. Frauds may
involve the omission of liabilities, but the matter of finding and investigating the dangling
credit is normally very difficult. It “dangles” off the books. In other words, the “dangling
credit” is a credit that was never recorded to a liability account, resulting in an omission of
a liability that should have been recorded. (Consider the implications for the completeness
assertion in this scenario.) Misstated disclosures also present difficulty, mainly because
they involve words and messages instead of numbers. Omissions may be difficult to notice,
and misleading inferences may be very subtle. Exhibit 4.7 presents some of the other risk
factors that have characterized situations in which frauds have occurred. Among the fraud
risk factors identified, a company’s difficult accounting issues or balances that contain difficult estimates to audit can be very challenging for auditors.
Types of Fraud
Remember, financial statements may be materially misstated as a result of errors or fraud.
While accounting errors are usually unintentional, fraud consists of knowingly making
material misrepresentations of fact with the intent of inducing someone to believe the
4
Cookie jar reserves are overaccruals created by a company (credit accrual, debit expense). In times when the company struggles, it reverses the overaccrual (debit accrual, credit expense) to inflate profits. Once the “cookie jar” reserve has been established, auditors are in a bind because it may be difficult to object to the company correcting the overaccrual.
132 Part Two The Financial Statement Audit
falsehood and act on it and, thus, suffer a loss or damage. This definition encompasses
all means by which people can lie, cheat, steal, and dupe other people. There are, in
essence, two different types of fraud: Fraudulent financial reporting and misappropriation
of assets.
Fraudulent financial reporting is defined in AU-C 240.A2 as “intentional misstatements,
including omissions of amounts or disclosures in financial statements to deceive financial statement users. It can be caused by the efforts of management to manage earnings in
order to deceive financial statement users by influencing their perceptions about the entity’s performance and profitability.”5 Given this definition, fraudulent financial reporting
is often referred to as management fraud. Management fraud is deliberate fraud committed
by management that injures investors and creditors through materially misstated
information.
Misappropriation of assets is defined in AU-C 240.A7 as involving “the theft of an
entity’s assets and is often perpetrated by employees in relatively small or immaterial
amounts.”6 Therefore, misappropriation of assets is often referred to as employee fraud.
Employee fraud is the use of fraudulent means to misappropriate funds or other property
from an employer. It usually involves falsifications of some kind: using false documents,
lying, exceeding authority, or violating an employer’s policies. It consists of three phases:
(1) the fraudulent act, (2) the conversion of the funds or property to the fraudster’s use,
and (3) the cover-up. Employee fraud can be classified as either embezzlement or larceny.
This type of fraud is discussed in detail in Chapter 6. Other definitions related to misappropriation of assets are
∙ Embezzlement is a type of fraud involving employees or nonemployees wrongfully
misappropriating funds or property entrusted to their care, custody, and control,
often accompanied by false accounting entries and other forms of deception and
cover-up.
∙ Larceny is simple theft; for example, an employee’s misappropriation of an employer’s
funds or property that has not been entrusted to the custody of the employee.
∙ Defalcation is another name for employee fraud, embezzlement, and larceny.
Misstatements due to fraudulent financial reporting or misappropriation of assets are
distinctly different than errors. Errors are unintentional misstatements or omissions of
amounts or disclosures in financial statements. Errors are not considered fraud because
they occur unintentionally.
Exhibit 4.8 shows some acts and devices that are often involved in financial frauds.
Notice that these actions may be perpetrated by the organization or may be perpetrated
upon the organization. Collectively, these are known as white-collar crimes—the misdeeds
of people who wear ties to work and steal with a pencil or a computer terminal. Whitecollar crime produces ink stains instead of bloodstains.
Auditing standards require that auditors specifically assess the risk of material misstatement due to fraud for each engagement. Fraud risk factors relate to both misstatements arising from fraudulent financial reporting and misstatements arising from
misappropriations of assets (usually as a result of employee theft and the related attempt
to conceal this theft through erroneous journal entries). Furthermore, auditors should
consider these risk factors when determining what audit procedures to perform. With
regard to the audit risk model, fraud risk is always considered a key factor when an auditor assesses inherent risk. A complete discussion of inherent risk assessment follows in
the next section. The following Auditing Insight provides an example of how current
world events can impact and change fraud risk factors.
5
American Institute of Certified Public Accountants. “Consideration of Fraud in a Financial Statement Audit.” Accessed June 24, 2019.
Ibid.
6
Chapter 4
AUDITING INSIGHT
The Audit Risk Model and Inherent Risk Assessment 133
Fraud Is Changing and Expected to Be on the
Rise Post-Pandemic
The COVID-19 pandemic shifted the way businesses operate and
changed consumer behavior in many ways that are likely to be permanent post-pandemic. This shift has also had an impact on the likelihood
and types of frauds impacting organizations. In a survey of antifraud
professionals performed by the Association of Certified Fraud Examiners, in collaboration with Grant Thornton, 51% of the respondents
indicated that their organizations had uncovered more fraud than
usual since the pandemic began, with 71% believing there would be
an increase in fraud in the near future. Beyond the increase in discovered and expected frauds, the fraud risk categories have changed.
More than 80% of respondents expect a growth in fraud related to
cyberfraud (i.e., email compromise, hacking) and social engineering
(e.g., phishing, baiting), a clear reflection of the move to more remote
business operations and changing consumer habits. The good news
is that businesses are responding accordingly to the increased and
changing risks. More than 86% of the survey respondents indicated
that the resources available for antifraud teams in their organizations
either stayed the same or increased.
Source: The Next Normal: Preparing for a Post-Pandemic Fraud Landscape,
Association of Certified Fraud Examiners and Grant Thornton, 2021.
One last note regarding our responsibility for fraud: audit teams are concerned with
fraud only as it affects the financial statements. Of those frauds, audit teams are responsible to detect cases where fraudulent activity results in materially misstated financial
statements. For example, if a warehouse employee is misappropriating inventory but that
embezzlement does not result in materially misstated financial statements, auditors do
not necessarily have a responsibility to detect this type of fraud. However, if management
is materially misstating revenues in order to meet earnings expectations, auditors are
responsible for detecting this misstatement. That is not to say that auditors would ignore
immaterial fraud (indeed, any instance of fraud would cause auditors to re-evaluate
their assessment of management’s integrity), but only that auditors’ primary responsibility
is to design procedures to provide reasonable assurance that material frauds that might
misstate the financial statements are detected. The fraudulent acts highlighted in Figure 4.8
above are more likely to have a material impact on the financial statements and thus be of
more concern to the auditor.
EXHIBIT 4.8
Overview of Types of
Frauds
Owners
Managers
Stockholders
Creditors
Fraudulent Financial Statements
Securities Fraud
Insider Trading
Related-Party
Transactions
Customers
False Advertising
Short Shipments
Defective Products
Price Fixing
Shoplifting
False Refunds
False Credit Cards
NSF checks
Competitors
Theft of Trade Secrets
Employee Bribery
COMPANY
Government
Vendors
Suppliers
Consultants
Short Shipment
Double Billing
False Invoices
Employee Bribery
Employees
Expense Account Falsification
Embezzlement
Theft of Cash and Property
Kickbacks
False Benefits Claims
Falsified Payroll
Insurers
False Loss Claims
Tax Evasion
Contract Cost Padding
False Benefit Claims
134 Part Two The Financial Statement Audit
REVIEW CHECKPOINTS
4.6 What is the primary difference between a material misstatement due to fraud and one due to error?
4.7 What is the auditor’s responsibility regarding fraud risk?
4.8 What are the defining characteristics of (a) white-collar crime, (b) employee fraud, (c) embezzlement, (d) larceny, (e) defalcation, (f) management fraud, and (g) errors?
4.9 Identify three different categories of fraud risk factors. Next, for each category, what are some of
the conditions that can help contribute to a higher likelihood of financial statement fraud?
INHERENT RISK ASSESSMENT—“WHAT COULD GO WRONG?”
LO 4-3
Explain auditors’
responsibility to assess
inherent risk, including a
description of the type of
risk assessment procedures
that should be performed
when assessing inherent risk
on an audit engagement.
EXHIBIT 4.9
Misstatements by
Assertion
The professional standards make clear that risk assessment underlies the entire audit
process. As a result, it is absolutely essential that auditors take great care to appropriately assess the risks of material misstatement, either due to error or fraud that exists on
an audit engagement. When performing risk assessment procedures to accomplish this
objective, the first step taken by auditors is often to assess inherent risk for each relevant
assertion related to each of the significant accounts and disclosures identified on an audit
engagement.
Recall that inherent risk is the probability that, in the absence of internal controls,
material errors or frauds could enter the accounting system used to develop financial
statements. Inherent risks can arise from a variety of different sources, and an auditor’s
basis for assessing a client’s inherent risk is often found in his or her familiarity with the
types of misstatements that could occur for each assertion in any account balance or class
of transactions. Exhibit 4.9 shows the type of misstatement that can exist within transactions and the assertion that is violated.
A detailed understanding of an audit client’s business model, including its products
and services, is an essential part of an auditor’s inherent risk assessment process at both
the financial statement and the financial statement assertion levels. Inherent risk assessment helps to guide the auditor in allocating more and stronger resources to test specific
accounts and disclosures that present a higher likelihood of material misstatement and
therefore present a higher level of inherent risk. In effect, inherent risk assessment provides the basis for executing an appropriate response to the risks identified. Remember
that the assessment of inherent risk can be based on a variety of types of information.
At a preliminary level, the best indicator of the risk of a material misstatement in the
year under audit is a material misstatement that was discovered during the previous audit.
Also, changes in transaction types, technology, personnel, or accounting principles may
increase the risk of material misstatement. The nature of the client’s business can produce complicated transactions and calculations that are subject to information processing
and accounting treatment error. For example, real estate, franchising, and oil and gas
transactions are frequently complicated and subject to accounting error. Some types of
Misstatement Type
Assertion Violated
1. Invalid transactions are recorded.
Occurrence
2. Valid transactions or disclosures are omitted from the financial statements.
Completeness
3. Transaction or disclosure amounts are inaccurate.
Accuracy
4. Transactions are classified in the wrong accounts.
Classification
5. Transactions are inappropriately aggregated or disaggregated and are not
clearly described.
Presentation
6. Transactions are recorded in the wrong period.
Cutoff
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 135
inventories are more difficult than others to count, value, and keep accurately in perpetual
records. The following factors have been suggested as being related to the susceptibility
of accounts to misstatement or fraud:
∙ Dollar size of the account. The higher the account balance, the greater the chance of
having errors or fraud in the account.
∙ Liquidity. The greater the account’s liquidity (ability to be easily converted to cash),
the more susceptible the account is to fraud. For example, cash is more susceptible to
theft than, say, a building.
∙ Volume of transactions. The higher the volume of transactions, the higher the chance
of error or fraud occurring in the transactions.
∙ Complexity of the transactions. Very complex transactions (e.g., those involving derivative securities or hedging transactions) tend to have a higher percentage of errors than
simple transactions.
∙ Subjective estimates. Subjective measurements (e.g., estimating the allowance for
doubtful accounts) tend to have more errors and fraud than objective measurements
(e.g., counting petty cash). Simply stated, the more subjective the measurement, the
easier it is to manipulate.
Understanding the Client’s Business and Its Environment
As previously noted, understanding the client’s business and its environment is essential
in order to properly assess inherent risk. Auditing standards require auditors to obtain a
thorough grasp of the business in order to properly plan and perform the audit. Understanding the following elements of the client’s business is essential:
∙
∙
∙
∙
Relevant industry, regulatory, and other external factors.
The nature of the company and related parties.
The effect of client computerized processing.
The company’s selection and application of accounting principles, including related
disclosures.
∙ The company’s objectives and strategies and those related business risks that might
reasonably be expected to result in risks of material misstatement.
∙ The company’s measurement and analysis of its financial performance.
Each of these areas are discussed further below.
Industry, Regulatory, and Other External Factors
Auditors must obtain an understanding of relevant industry, regulatory, and other external factors that encompass the client’s competitive environment. This includes a detailed
understanding of the regulatory environment, including the applicable financial reporting framework (e.g., U.S. GAAP or IFRS). Auditors must also understand the broad
economic environment in which the client operates, including such things as the effects
of national economic policies (e.g., price regulations and import/export restrictions),
the geographic location and its economy (e.g., northeastern states versus sunbelt states),
and developments in taxation and regulatory areas (e.g., industry regulation, approval
processes for products in the drug and chemical industries).
Industry characteristics are also important. There is a great deal of difference in the
production and marketing activities of banks, insurance companies, mutual funds, supermarkets, hotels, oil and gas industries, agriculture organizations, manufacturers, and so
forth. Likewise, there can be a great deal of difference in where difficult and complex
accounting transactions occur among the industries. Therefore knowledge of the industry,
including the competition and market in which the client operates, is essential in helping
to identify areas of increased risk of misstatement. In addition, auditors should be aware
of the effects of world events, such as the recent COVID-19 pandemic, that impact the
economy and the subsequent impact on the industry and their clients in particular.
136 Part Two The Financial Statement Audit
The Nature of the Company and Related Parties
Obtaining an understanding of the nature of the company includes understanding
∙ The company’s organizational structure and management personnel. Is the client
centralized or decentralized? Are senior managers familiar with accounting and reporting
requirements? Do they value the importance of good controls? Are any officers,
employees, or shareholders involved in related-party transactions?
∙ The sources of funding of the company’s operations and investment activities. Is the
company funded by debt or equity? Are there restrictions placed by lenders that management must meet (e.g., debt covenants)? Does it have the financing in place to meet
future cash requirements? Are any lenders or shareholders involved in related-party
transactions?
∙ The company’s significant investments. Is the company invested in other companies
for strategic purposes? What is the company’s investment policy? Do overseas investments present a risk of nationalization? Are any subsidiaries involved in related-party
transactions? Is the company planning to acquire another company? As the nearby
Auditing Insight reveals, there are additional risks for auditors if their client is either
about to be acquired by or planning to acquire another company.
∙ The company’s operating characteristics, including its size and complexity. Does the
company operate internationally? Do subsidiaries operate in diverse industries?
∙ The sources of the company’s earnings, including the relative profitability of key products
and services, and key supplier and customer relationships. Are there any threats to
loss of revenue from losing suppliers or customers? Could key products be overtaken
by competitors’ products? Could advances in technology make the client’s products
obsolete? Are any customers or suppliers related parties?
AUDITING INSIGHT
How Hewlett-Packard Overpaid for Autonomy
When Hewlett-Packard (HP) admitted that it overpaid when it acquired
Autonomy for $11.1 billion in October 2011, the management team did
not accept responsibility for the blunder. Rather, an investigation completed
by HP concluded that there were serious “accounting improprieties” and
“outright misrepresentations” found on Autonomy’s financial statements.
According to HP CEO Meg Whitman, “There appears to have been a willful sustained effort” to inflate Autonomy’s revenue and profitability. “This
was designed to be hidden.” As a result, HP wrote down $8.8 billion of
Autonomy’s value just one year after the acquisition. To help recoup some
of their losses, in 2015 HP filed a lawsuit against former Autonomy CEO
Mike Lynch for $5 billion. In 2022, after years in the UK court system, HP
won their lawsuit, although the amount due is yet to be determined and
will likely be “considerably less” than $5 billion. In the meantime, in April
2018 the U.S. Department of Justice convicted Autonomy CFO Sushovan
Hussain of falsifying financial statements and exaggerating the company’s
value and sentenced him to five years in prison. Criminal charges have also
been filed in the U.S. against Mike Lynch, his extradition to the U.S. to face
those charges was approved in January 2022.
For its part, Deloitte UK defends its audit work completed at
the company. In fact, a spokesman for Deloitte UK “categorically
denies that it had any knowledge of any accounting improprieties or
any misrepresentations in Autonomy’s financial statements, or that
it was complicit in any accounting improprieties or misrepresentations.” The Financial Reporting Council (FRC), the auditing regulator
in the UK, disagrees. In 2020, the FRC hit Deloitte with a record
15 million pounds fine ($19.4 million) for conducting audit work
that, in their view, “fell significantly short of the standards expected
of an audit firm.”
Source: “HP Says It Was Duped, Takes $8.8 Billion Charge,” The Wall Street
Journal, November 21, 2012, p. A1; “US Charges Autonomy Founder With
Fraud Over Hewlett Packard Deal,” The Wall Street Journal, November 30,
2018, “Deloitte and Former Autonomy Chiefs Face Action,” BBC News, May
31, 2018; Gareth Corfield, “HPE wants British ex-CFO to testify in UK Autonomy lawsuit before Uncle Sam sentences him,” The Register, February 18,
2019. “Deloitte Hit with Record 15 Million Pound Fine for Autonomy Audit,”
Reuters, September 17, 2020. “HP Wins Fraud Case Against Autonomy’s Mike
Lynch,” Wired, January 28, 2022.
You may have noticed that many of the questions typically asked to gain an understanding of the nature of the company referenced related parties and related-party transactions.
Related parties are those individuals or organizations that can influence or be influenced
by decisions of the company, possibly through family ties or investment relationships.
According to the professional standards, an auditor’s primary objective in regard to
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 137
related parties is to obtain the evidence needed to determine whether “related parties and
relationships and transactions with related parties have been properly identified, accounted
for, and disclosed in the financial statements.”7 Because one of the basic assumptions
of historical cost accounting is that transactions are valued at prices agreed on by two
independent parties (i.e., “arm’s-length transactions”), proper valuation of related-party
transactions can be particularly troublesome. Therefore the auditor needs to pay close
attention to the structure of the related-party transactions to ensure proper accounting
and adjust risk assessment accordingly. Unfortunately, as the following Auditing Insight
shows, auditors do not always recognize and adjust for risk that related-party transactions
may signal.
AUDITING INSIGHT
Are Related Party Transactions Really
That Troublesome?
For the most part, yes. An academic study published in 2017
examines the relationship between related-party transactions and
subsequent financial statement restatements, which would signal the previous existence of a material misstatement. Looking at
3,588 observations, the authors find that companies that engage
in related-party transactions have a higher likelihood of future
restatements, as compared to those that did not have such transactions. In particular, related-party transactions that relate to tone
at the top, such as a loan or consulting arrangement with a director, officer, or major shareholder, are more greatly associated with
restatements than related-party transactions that deal more with
normal course of business events.
Interestingly, auditors may not recognize these transactions as the
red flags they appear to be. When looking at audit fees, companies that
report related-party transactions have lower audit fees than companies
that do not. This is counterintuitive, as you would expect the increased
risk of material misstatement associated with related-party transactions
would require more audit work and therefore higher fees. Companies
with related-party transactions also are less likely to hire auditors that are
industry specialists. The less frequent hiring of industry specialists and
lower audit fees could signal that companies with related-party transactions are, for whatever reason, looking for a lower quality audit.
Sources: M. Kohlbeck and B. Mayhew, “Are Related Party Transactions Red
Flags?” Contemporary Accounting Research 35, no. 2 (2017), pp. 900–928.
Auditors strive to identify related-party relationships and transactions during the
planning stage to be able to obtain evidence that the financial accounting and disclosure for them are proper. Some methods include reviewing the board of directors’
meeting minutes, making inquiries of key executives, and reviewing stock ownership
records. Auditors also should question the persuasiveness of the evidence obtained
from related parties because the source of the evidence may be biased. Hence, auditors
should obtain evidence of the purpose, nature, and extent of related-party transactions
and their effect on financial statements, and the evidence should extend beyond inquiry
of management.
Client Computerized Processing
Clients can exhibit great differences in the way that their computerized processing activities are organized. The degree of centralization inherent in the organizational structure
can vary. A highly centralized organizational structure generally has all significant computerized processing controlled and supervised at a central location. The control environment, the computer hardware, and the computerized systems can be uniform throughout
the company. Auditors can obtain most of the necessary computerized processing information by visiting the central location. At the other extreme, a highly decentralized
organizational structure generally allows various departments, divisions, subsidiaries, or
geographical locations to develop, control, and supervise computerized processing in an
autonomous fashion. In this situation, the computer hardware and the computer systems
are usually not uniform throughout the company. Thus, auditors might need to visit many
locations to obtain the necessary audit information.
7
PCAOB Release No. 2014-02. “Auditing Standard No. 18: Related Parties.” June 10, 2014.
138 Part Two The Financial Statement Audit
Selection and Application of Accounting Principles, Including Related Disclosures
Auditors should evaluate whether the company’s selection and application of accounting
principles are appropriate for its business and consistent with the applicable financial
reporting framework and accounting principles used in the relevant industry. Auditors
should pay attention to significant changes in the company’s accounting principles,
financial reporting policies, or disclosures and the reasons for such changes; significant
accounting principles in controversial or emerging areas; and the methods the company
uses to account for significant and unusual transactions.
Accounting estimates are a concern because numerous fraud cases have involved the
deliberate manipulation of estimates to increase net income. Accounting estimates are
approximations of financial statement numbers and are often included in financial statements. Examples include valuation of investment securities, net realizable value of accounts
receivable, depreciation expense, insurance loss reserves, percentage-of-completion contract revenues, impairment of goodwill, pension expense, warranty liabilities, fair value of
financial instruments, and many more. Management is responsible for making accounting
estimates. Auditors are responsible for determining that all appropriate estimates have been
made, that they are reasonable, and that they are presented in conformity with GAAP and
adequately disclosed. The following Auditing Insight provides a brief description of “what
went wrong” at Toshiba related to an important accounting estimate.
AUDITING INSIGHT
Percentage of Completion Estimates at Toshiba
In early September 2015, the Japanese conglomerate Toshiba
announced a $1.9 billion earnings write down that involved the past
seven fiscal years. The accounting irregularities were primarily related
to “percentage of completion” estimates that were used to account
for both revenue and costs for various infrastructure projects that
included railway system, hydroelectric, and nuclear projects. The
accounting rules specify that the estimates are supposed to represent
reasonable estimates of the extent of contract progress. However,
due to the subjectivity involved in the estimates, there is always an
opportunity for management bias to occur during the estimation
process and for a fraud to occur. As a result, auditors must always
be aware of this possibility whenever they are auditing an accounting
estimate.
Sources: “Toshiba Slashes Earnings for Past Seven Years,” The Wall Street
Journal, September 7, 2015. “Accounting Rife with Estimates Haunted
Toshiba,” CFO.com, September 9, 2015.
With respect to auditing accounting estimates, auditors are supposed to monitor
the differences between management’s estimates and the closest reasonable estimates
supported by the audit evidence and evaluate the differences taken altogether for indications of a systematic bias. For example, management may estimate an allowance for doubtful
accounts to be $50,000, and the auditors may estimate that the allowance could be
$40,000 to $55,000. In this case, management’s estimate is within the auditors’ range of
reasonableness. However, the auditors should note that the management estimate leans
toward the conservative side (more than the auditors’ $40,000 lower estimate but not
much less than the auditors’ higher $55,000 estimate). If other estimates exhibit the same
conservatism and the effect is material, the auditors will need to evaluate the overall reasonableness of the effect of all estimates taken together.
Company Objectives, Strategies, and Related Business Risks
An auditor needs to gain a detailed understanding of the audit client’s strategy to achieve
a competitive advantage within its industry. The purpose of obtaining an understanding of
the company’s objectives and strategies is to identify business risks that could reasonably
be expected to result in material misstatement of the financial statements. Indeed, the
professional standards recognize that most business risks are eventually reflected in the
financial statements. Business risks are any risks that could adversely affect a company’s
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 139
ability to achieve its objectives and execute its strategies. The best starting point for auditors to identify business risks is with management, as their jobs require knowledge of
such risks. Although not all business risks are relevant to auditors, the following are
examples of potential business risks that might result in material misstatement of the
financial statements:
∙ Industry developments for which the company does not have the personnel or expertise
to deal with the changes.
∙ New products and services that might not be successful.
∙ Expansion of the business when the demand for the company’s products or services
has not been accurately estimated.
∙ The effects of implementing a strategy that will lead to new accounting requirements.
∙ Financing requirements that the company may be unable to meet, resulting in a loss of
financing.
Understanding a company’s objectives and strategies, as well as having knowledge of
other industry and company specific factors discussed in the previous sections, allows the
auditor to better understand the client’s business risk, which is a precursor to assessing inherent
and control risk. Gaining an understanding of strategies and processes involves gathering
evidence in areas not historically addressed by auditors. Auditors might ask production
personnel about labor problems or marketing personnel about product quality or competition. The process has been criticized by some as being more consulting than auditing,
but it is essential in order to assess the risk of material misstatements. It addresses factors that audit team members could miss by getting lost in the details of an approach that
simply started with the financial statements. Business risk assessment also makes auditors
much more knowledgeable about their client’s business and its environment. We should
note that, even when taking a top-down approach that starts with an understanding of the
risks faced by the client in executing its strategy within the industry, the audit team ultimately still has to focus its procedures on the significant accounts and relevant management assertions.
Company Performance Measures
The purpose of obtaining an understanding of the company’s performance measures
is to determine what information management and others deem to be key indicators
of company performance that may affect the risk of material misstatement. A key step for
auditors to consider is to try to understand those measures to which management or
financial statement users might be sensitive. For example, measures used to determine
management compensation or analysts’ ratings might place pressure on management
to manipulate financial results. Also, auditors might gain a better understanding of
their clients by reviewing measures management uses to monitor operations, such
as budget variances or trend analysis. Finally, those measures might be indicators
of qualitative factors that should be considered when determining materiality, as
discussed in Chapter 3.
REVIEW CHECKPOINTS
4.10 Why is it important for an auditor to carefully assess inherent risk on each audit engagement?
4.11 What is meant by the nature of the company, and why is it important to inherent risk assessment?
4.12 Why should auditors understand their clients’ performance measures when assessing inherent risk?
4.13 What is the major concern for auditors related to evidence obtained from related parties?
140 Part Two The Financial Statement Audit
GATHERING INFORMATION AND PRELIMINARY
ANALYTICAL PROCEDURES
LO 4-4
Understand the different
sources of information and
the audit procedures used
by auditors when assessing
risks, including analytical
procedures, brainstorming,
and inquiries.
As discussed in the previous section, auditors have a responsibility to gain an understanding of their clients’ businesses and their environments to be able to properly assess risk.
There are a variety of different sources of information and audit procedures auditors use
to gain that understanding. Only a few of the many different sources of information available are described briefly in this section. The AICPA industry accounting and auditing
guides are often a very good place to start. These guides explain the typical transactions
and accounts used by various types of businesses and not-for-profit organizations. Many
databases and information sources are available on the Internet, such as the Library of
Congress E-resources Online Catalog (https://eresources.loc.gov/).
Auditors should make sure to read public information about the company, such as
company-issued press releases, company-prepared presentation materials for analysts or
investor groups, and analyst reports, as well as to observe or read transcripts of earnings
calls and, to the extent publicly available, of other meetings with investors or rating agencies. Auditors also need to obtain an understanding of compensation arrangements with
senior management, including incentive compensation arrangements, changes or adjustments to those arrangements, and special bonuses, by reviewing the documents and discussing the arrangements with management. Board of directors compensation committee
minutes often contain useful information about the intent of such arrangements.
General Business Sources
Most industries have specialized trade magazines and journals. You may not choose to read
Grocer’s Spotlight for pleasure, but magazines of this special type are very valuable for
learning and maintaining an industry expertise. In addition, specific information about public companies can be found in registration statements and10-K reports filed with the SEC.
General business magazines and newspapers often contribute insights about an industry,
an entity, and individual corporate officers. Many are available, including such leaders as
Bloomberg Businessweek, Forbes, Fortune, Harvard Business Review, Barron’s, and The
Wall Street Journal. Auditors typically read several of these regularly. Additionally, many
companies present “company story” information on their websites. A visit to company websites can provide a wealth of information about products, markets, and strategies. For public
companies, auditors should also monitor the client’s daily stock price for any unusual trading
activity that might indicate new information that affects the company’s business risk.
Company Sources
Other early information-gathering activities include (1) reviewing the corporate charter and bylaws or partnership agreement; (2) reviewing contracts, agreements, and legal
proceedings; and (3) reading the minutes of the meetings of directors and committees of
the board of directors. The minutes provide a history of the company, critical events and
significant transactions, and future company intentions. A company’s failure to provide
minutes is a significant scope limitation that could result in the public accounting firm’s
disclaiming an opinion on the company’s financial statements.
Information from Client Acceptance or Continuance Evaluation,
Audit Planning, Past Audits, and Other Engagements
A great deal of information about the client is gathered in the pre-engagement planning
process discussed in Chapter 3. Auditors evaluate the competence and integrity of management and the riskiness of the business before taking or continuing a client. As noted,
the best indicator of the risk of a material misstatement is the presence of misstatements
in previous audits that required adjusting entries. For example, for nonpublic clients, public accounting firms often develop client income tax provisions once the audit is complete; thus, the income tax adjusting entry would show up as an adjustment every year.
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 141
Finally, auditors who have industry expertise often have more than one client in that
industry, so they can transfer general knowledge of risks encountered in other clients
while maintaining confidentiality standards required by the profession.
What’s in the Minutes of Meetings?
Boards of directors are responsible for monitoring their companies’ businesses. The minutes of their meetings and the meetings of their committees (e.g., executive committee, finance committee, compensation
committee, and audit committee) frequently contain information of vital
interest to the independent auditors. Some information examples follow:
•
•
•
Amount of dividends declared.
•
•
•
Acceptance of contracts, agreements, and lawsuit settlements.
Elections of officers and authorization of officers’ salaries.
Authorization of stock options and other incentive compensation
arrangements.
Approval of major purchases of property and investments.
Discussions of possible mergers and divestitures.
•
•
•
•
∙
Authorization of financing by stock issuance, long-term debt issuance,
and leases.
Approval to pledge assets as security for debts.
Discussion of negotiations on bank loans and payment waivers.
Approval of accounting policies and accounting for significant and
unusual transactions.
Authorizations of individuals to sign bank checks.
Auditors take notes or make copies of important parts of these minutes and compare them to information in the accounts and disclosures
(e.g., compare the amount of dividends declared to the amount paid, compare officers’ authorized salaries to amounts paid, compare agreements
to pledge assets to proper disclosure in the notes to financial statements).
Preliminary Analytical Procedures
Professional standards mandate that auditors complete analytical procedures at the beginning of an audit—preliminary analytical procedures—and at the end of an audit when the
partners in charge review the overall quality of the work and look for apparent problems.
Analytical procedures can also be used as a substantive testing procedure to gather evidence
about the relevant assertion being tested. When completing analytical procedures at any
time during the audit, auditors are required to develop an expectation about what an account
balance should be and then compare that expectation to the recorded balance. When performing preliminary analytical procedures, as discussed in this section, auditors typically
use the prior-year balances as the starting point for their expectation for each account balance. At this stage, analytical procedures are reasonableness tests; auditors compare their
expectation for each of the account balances with those recorded by management. During
this critical point of the engagement, auditors use analytical procedures to identify potential
problem areas so that subsequent audit work can be designed to reduce the risk of missing something important. Analytical procedures during the preliminary stages also provide
an organized approach—a standard starting place—for becoming familiar with the client’s
business and identifying areas of risk. Auditors need to remember that preliminary analytical
procedures are based on unaudited data, so they should consider the effectiveness of controls over their reliability when deciding how much weight to place on the results.
Auditors should perform five steps when completing analytical procedures:
1. Develop an expectation. A variety of sources can provide evidence for auditors’ expectations of the balance in a particular account:
∙ Balances for one or more comparable periods (e.g., vertical and horizontal analyses).
∙ Anticipated results found in the company’s budgets and forecasts.
∙ Leveraging predictable patterns among account balances based on the company’s
experience.
∙ Relevant information from third-party sources for the industry in which the company operates.
∙ Relevant nonfinancial information (e.g., physical production statistics, sales orders).
2. Define a significant difference. Basically, the question is, “What percentage (or dollar)
difference from your expectation can still be considered reasonable?” It is important
142 Part Two The Financial Statement Audit
that this decision be made before making the comparison to prevent auditors from
rationalizing differences and failing to follow up.
3. Compare expectation with the recorded amount. Many auditors start with comparative
financial statements and calculate year-to-year changes in balance-sheet and incomestatement accounts (horizontal analysis). They next calculate common-size statements
(vertical analysis) in which financial statement amounts are expressed as percentages of
a base, such as sales for the income-statement accounts or total assets for the balancesheet accounts. Although vertical and horizontal analyses are fairly basic, other analytical procedures—including mathematical time series and regression calculations,
comparisons of multiyear data, and trend analyses—can be more complex.
4. Investigate significant differences. Auditors typically look for relationships that do not
make sense as indicators of problems in the accounts, and they use such indicators to
plan additional audit work. In the planning stage, analytical procedures are used to identify potential problem areas so that subsequent audit work can be designed to reduce the
risk of missing something important. The application demonstrated here can be described
as attention directing: pointing out accounts that could contain errors and frauds. The
insights derived from preliminary analytical procedures do not provide direct evidence
about the numbers in the financial statements. Although the insights derived from preliminary analytical procedures provide only limited evidence about the numbers in the financial statements, they do help auditors identify risks as an aid in preparing the audit plan.
5. Document each of the preceding steps. Auditors should document each step in completing their analytical procedures.
As an example, let’s walk through the steps for completing preliminary analytical procedures for Dunder-Mifflin Inc. Exhibit 4.10 contains financial balances for the DunderMifflin Inc.’s prior year (consider them audited) and the current year (consider them
unaudited at this stage). Let’s assume there have been no significant changes in operations
or the industry, therefore current-year recorded amounts should be fairly similar to those
of the prior year (step 1). Because changes are not expected, auditors can identify any
changes that are more than 10 percent and $100,000 as deserving additional attention
(step 2). Note that the threshold is both 10 percent and $100,000 instead of just one trigger
or the other. A change in an account balance from $100 to $200 is a 100 percent change,
but the change is clearly immaterial. Similarly, an increase in sales from $9.9 million to
$10 million meets the $100,000 threshold but does not appear unreasonable in percentage
terms. In step 3, auditors compare expectations with the recorded balances. Along with
financial balances, Exhibit 4.10 also shows common-size statements (vertical analysis) for
both the prior and current year and the dollar amount and percentage change (horizontal
analysis) between the two years.
The investigation of significant differences (step 4) is probably the most critical step
in the analytical procedures process. After generating basic financial data and relationships, the next step is to determine whether the financial changes and relationships
actually describe what is going on within the company. According to the current-year
unaudited financial statements in Exhibit 4.10, the company increased net income by
increasing sales 10 percent, reducing cost of goods sold as a proportion of sales, and
controlling other expenses. At least some of the sales growth appears to have been
prompted by easier access to credit (accounts receivable increased by 80 percent) and
more service (more equipment in use). The company also appears to have used most
of its cash and borrowed more to purchase equipment, make payments on long-term
debt, and pay dividends. Inventory and cost of goods sold, on the other hand, remained
fairly consistent compared to the previous year, with both accounts increasing by only
6.7 percent.
The next step is to ask, “What could be wrong?” and “What errors and frauds, as well
as legitimate explanations, could account for these financial results?” As an example of
how analytical procedures are used, we limit our attention to the Accounts Receivable
and Inventory accounts. At this point, some other ratios can help support the analysis.
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 143
EXHIBIT 4.10 Dunder-Mifflin Inc.—Preliminary Analytical Procedures Data
Prior Year
Balance
Current Year
Common Size
Change
Balance
Common Size
Amount
Percent Change
Income
Sales (net)
$9,000,000
100.00%
$9,900,000
100.00%
$ 900,000
10.00%
Cost of goods sold
6,750,000
75.00
7,200,000
72.73
450,000
6.67
Gross margin
2,250,000
25.00
2,700,000
27.27
450,000
20.00
General expense
1,590,000
17.67
1,734,000
17.52
144,000
9.06
Depreciation
300,000
3.33
300,000
3.03
0
0.00
Operating income
360,000
4.00
666,000
6.46
306,000
85.00
Interest expense
60,000
0.67
40,000
0.40
(20,000)
−33.33
120,000
Income taxes (40%)
Net income
1.33
256,000
2.59
136,000
113.33
$ 180,000
2.00%
$370,000
3.74%
$ 190,000
105.56%
$600,000
14.78%
$ 200,000
4.12%
($400,000)
−66.67%
Assets
Cash
Accounts receivable
500,000
12.32
900,000
18.56
400,000
80.00
Allowance for doubtful
accounts
(40,000)
–0.99
(50,000)
–1.03
(10,000)
25.00
1,500,000
36.95
1,600,000
32.99
100,000
6.67
2,560,000
63.05
2,650,000
54.63
90,000
3.52
3,000,000
73.89
4,000,000
82.47
1,000,000
33.33
Accumulated
depreciation
(1,500,000)
–36.95
(1,800,000)
–37.11
(300,000)
20.00
Total assets
$4,060,000
100.00%
$4,850,000
100.00%
$790,000
19.46%
$500,000
12.32%
$400,000
8.25%
($100,000)
−20.00%
Inventory
Total current assets
Equipment
Liabilities and Equity
Accounts payable
Bank loans, 11%
0
0.00
750,000
15.46
750,000
Accrued interest
60,000
1.48
40,000
0.82
(20,000)
Total current liabilities
−33.33
560,000
13.79
1,190,000
24.53
630,000
112.50
Long-term debt, 10%
600,000
14.78
400,000
8.25
(200,000)
−33.33
Total liabilities
1,160,000
28.57
1,590,000
32.78
430,000
37.07
2,000,000
49.26
2,000,000
41.24
0
0.00
Retained earnings
900,000
22.17
1,260,000
25.98
360,000
40.00
Total liabilities and equity
$4,060,000
100.00%
$4,850,000
100.00%
$ 790,000
Capital stock
19.46%
Exhibit 4.11 contains several familiar ratios. (Appendix 4A at the end of this chapter
contains these ratios and their formulas.)
∙ Question: Are the accounts receivable collectible? (Alternative: Is the allowance for
doubtful accounts large enough?) Easier credit can lead to more bad debts. The company
has a much larger amount of receivables, the days’ sales in receivables has increased
significantly, the receivables turnover has decreased, and the allowance for doubtful
accounts is smaller in proportion to the receivables. If the prior-year allowance for bad
debts at 8 percent of receivables was appropriate and conditions have not become worse,
it could be that the allowance should be closer to $72,000 than $50,000. The auditors
should work carefully on the evidence related to accounts receivable valuation.
144 Part Two The Financial Statement Audit
EXHIBIT 4.11
Dunder-Mifflin Inc.—
Selected Financial
Ratios
Prior Year
Current Year
Percent Change
4.57
18.40
0.08
80.00
0.40
2.23
30.91
0.06
80.00
0.49
— 51.29%
67.98
— 30.56
0.00
21.93
19.57
4.50
75.00%
25.00%
6.62%
11.65
4.50
72.73%
27.27%
12.76%
— 40.47
0.00
— 3.03
9.09
92.80
0.49
0.22
0.09
2.59
2.22
4.96
0.30
0.26
0.14
1.89
2.04
4.35
— 38.89
17.20
54.87
— 27.04
— 7.92
— 12.32
Balance-Sheet Ratios
Current ratio
Days’ sales in receivables
Doubtful accounts ratio
Days’ sales in inventory
Debt/equity ratio
Operations Ratios
Receivables turnover
Inventory turnover
Cost of goods sold/Sales
Gross margin percentage
Return on beginning equity
Financial Distress Ratios (Altman)
Working capital/Total assets
Retained earnings/Total assets
EBIT/Total assets
Market value of equity/Total debt
Net sales/Total assets
Discriminant Z-score
∙ Question: Could the inventory be overstated? (Alternative: Could the cost of the goods
sold be understated?) Overstatement of the ending inventory would cause the cost of
goods sold to be understated. The percentage of cost of goods sold to sales shows a
decrease. If 75 percent of the prior year represents a more accurate cost of goods sold
amount, then the income before taxes could be overstated by $225,000 (75 percent
of $9.9 million minus $7.2 million unaudited cost of goods sold). The days’ sales in
inventory and the inventory turnover remained the same, but you could expect them to
change in light of the larger volume of sales. Careful work on the physical count and
valuation of inventory appears to be needed.
Investigating significant differences and generating hypotheses of the cause of difference (i.e., “what can go wrong”) are important for maintaining professional skepticism
and properly assessing risk. However, as the following Auditing Insight discusses, while
generating hypotheses is important, auditors need not come up with an exhaustive list.
AUDITING INSIGHT
Too Much of a Good Thing?
The fourth step in the process of performing analytical procedures is
investigating significant differences between what is expected and
what is recorded. Coming up with more explanations for why a significant difference exists seems like it would be a good thing, as the auditor would be more likely to discover the true reason for the difference.
Well, it seems in this case that too much of a good thing can actually
be bad. A recent experimental study examines auditors tendency to
rely on client explanations after generating their own ideas for why a
difference exists between expected and recorded amounts. Auditors
that were asked to generate more ideas (6) were more likely to anchor
on the client’s explanation than auditors that were only asked to generate two ideas. This phenomenon occurred even when auditors were
given information indicating that control risk was high, a situation that
generally warrants higher levels of professional skepticism. Overall
these results indicate that the difficulty of generating more ideas can
actually cause auditors to let their guard down and get “lazy” when it
comes to professional skepticism.
Source: A.M. Rose, J.M. Rose, I. Suh, and J. Thibodeau, “Analytical Procedures: Are More Good Ideas Always Better for Audit Quality?,” Accounting
Horizons, Spring 2020, pp. 37-49.
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 145
Other questions can be asked and other relationships derived when industry statistics
are available. Industry statistics can be obtained from such services as Yahoo! Finance,
Google Finance, Dun & Bradstreet, and Standard & Poor’s. These statistics include
industry averages for important financial benchmarks such as gross profit margin, return
on sales, current ratio, debt/net worth, and various others. A comparison with client data
can reveal out-of-line statistics, indicating a relatively strong feature of the company,
a weak financial position, or possibly an error or misstatement in the client’s financial
statements. However, care must be taken with industry statistics. A particular company
could or could not be well represented by industry averages.
Comparing reported financial results with internal budgets and forecasts also can
be useful. If the budget or forecast represents management’s estimate of probable
future outcomes, planning questions can arise for items that fall short of or exceed the
budget. If a company that expected to sell 10,000 units of a product sold only 5,000
units, the auditors would want to plan a careful analysis of the inventory of unsold
units for obsolescence (valuation). If 15,000 were sold, an auditor would want to audit
for sales validity (occurrence). Budget comparisons can be tricky, however. Some
companies use budgets and forecasts as goals rather than as expressions of probable
outcomes. Also, meeting the budget with little or no shortfall or excess can result from
managers’ manipulating the numbers to “meet the budget.” Auditors must be careful
to know something about an entity’s business conditions from sources other than the
internal records when analyzing comparisons with budgets and forecasts to determine
inherent risk.
As previously stated, professional standards require auditors to perform analytical
procedures during the planning stages of the audit “with the objective of identifying unusual or unexpected relationships” involving significant financial accounts “that
might indicate a material misstatement, including material misstatement due to fraud.”
When doing so, the auditor should consider all types of relevant data to help improve
their understanding of risk on the audit. Importantly, professional standards allow the
use of “data that is preliminary or data that is aggregated at a high level” when completing analytical procedures at the planning stages. As a result, the increased use of
big data and analytical tools has the potential to improve the effectiveness of this type
of risk assessment procedure.8
Indeed, auditors now have the opportunity to use new types of analyses that utilize
third-party data to supplement their “traditional” analytical procedures. The additional
data can help auditors refine their expectations and improve the results of preliminary
analytical procedures, which form initial beliefs about the nature, timing, and extent of
audit evidence to be gathered from an audit client. While this type of access to increased
volumes of data on the client has the potential to improve audit effectiveness, it also can
have an initial negative impact on audit efficiency if audit professionals are unable to
efficiently execute such additional procedures.
While the availability of even more third-party data offers considerable promise
for auditors when completing preliminary analytical procedures, audit professionals in
today’s environment also need to learn how to make the best use of internal client data
when completing such procedures. For example, when completing preliminary analytical procedures, the availability of largely all of the client’s internal data can allow
for a more robust trend analysis (i.e., year over year) on a multitude of financial and
nonfinancial data. Auditors are encouraged to consider the facts and circumstances of
each audit engagement and utilize computer-assisted audited techniques to facilitate
the most useful trend analyses for the financial statement audit. The following insert
provides guidance on how IDEA can be used to improve the efficiency of analytical
procedures.
8
See PCAOB Release 2010-04. “Identifying and Assessing Risks of Material Misstatement.” August 5, 2010.
146 Part Two The Financial Statement Audit
USING IDEA IN THE AUDIT
The IDEA software package can be helpful when summarizing internal client data for purposes of analytical procedures used during the
planning process. For example, in the IDEA Analysis Workbook, it is
stated that “IDEA can help with the preparation of figures for an analytical review. In particular, IDEA can generate analyses that would
not otherwise be available. The Stratification task (from the Analysis
tab on the IDEA Ribbon) generates a profile of the population in value
bands, groups of codes, or dates. This is particularly useful when
auditing assets such as accounts receivable, inventories, or loans or
Analytical Procedures
for a breakdown of transactions. Additionally, the information can
be summarized by particular codes or subcodes. Figures can also be
compared against previous years to determine trends. A chart can be
produced if required.”
At the end of this chapter, problems 4.68, 4.69 and 4.70 can be
completed to illustrate the use of IDEA during preliminary analytical
procedures. To be most useful, each of these analyses would have to
be completed for multiple years so comparisons could be made and
meaningful expectations could be developed.
Audit Team Brainstorming Discussions
On every audit engagement, the risk assessment process includes required audit team
brainstorming sessions in which critical audit areas are discussed. These sessions update
audit team members on important aspects of the audit and heighten team members’
awareness of the potential for fraud and errors in the engagement. Items typically discussed include previous experiences with the client, how a fraud might be perpetrated
and concealed by the client, and procedures that might detect fraud. When studying a
business operation, auditors’ ability to think like a criminal and devise ways to steal can
help in creating procedures to determine whether fraud has happened. Often, imaginative
extended procedures can be employed to unearth evidence of fraudulent activity.
A secondary objective of the discussions is to set a proper tone for the engagement. These
sessions address not only fraud risk, but also other client business and audit-related risk assessments. While these brainstorming sessions typically begin during the planning stage of engagements, they should be held on a continual basis through the conclusion of the engagement.
Many firms have fraud specialists that assist audit teams throughout the risk assessment process. If an auditor’s specialists are assigned to the audit, their involvement during
brainstorming sessions is particularly important because, as a result of their experience,
they are particularly adept at identifying critical audit areas and how these areas influence the risk of misstatement due to fraud.
AUDITING INSIGHT
∙
∙
∙
∙
∙
Some Best Practices in Brainstorming
An engagement partner or an auditor’s forensic specialist is the
best choice to lead the brainstorming session, but the use of
group decision software (which protects individuals’ identities)
allows each engagement team member to participate freely without fear of intimidation or repercussion. Managers and partners
should be active participants.
Audit team members should be reminded of the purpose of the
brainstorming session and stress the importance of professional
skepticism.
A good strategy is to discuss material misstatements found in previous audits and/or frauds found on similar engagements.
When checklists are used, fully discuss each item on the list and
don’t limit discussions solely to items on the checklist. In other
words, consider what might have been left off the checklist.
The idea-generation phase should be separated from the
idea-evaluation phase. Considering each threat as it is
∙
∙
∙
∙
brought up may cause individuals to feel slighted and may
inhibit further idea generation. Engagement team members
should be encouraged to discuss why they feel an identified
risk is important.
An information technology audit specialist should attend.
The session should be held during preplanning or early in the planning stage.
It should include discussion of how management might perpetrate
fraud and audit responses to fraud risk.
Time should be set aside at the end of the session to indicate how
the audit plan should be modified as a result of the discussions.
Sources: M. Landis, S. Jerris, and M. Braswell, “Better Brainstorming,” Journal
of Accountancy, October 2008, pp. 70–73; J. F. Brazel, T. D. Carpenter, and
J. G. Jenkins, “Auditors’ Use of Brainstorming in the Consideration of Fraud: Reports
from the Field,” The Accounting Review 85, no. 4 (July 2010), pp. 1273–1301.
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 147
Inquiry of Audit Committee, Management, and Others within the Company
Interviewing the entity’s management, internal auditors, directors, the audit committee,
and other employees is a required audit process that can bring auditors up to date on
changes in the business and the industry. Such inquiries of client personnel have the multiple
purposes of building personal working relationships, observing the competence and
integrity of client personnel, obtaining a general understanding of the client or company,
and probing for problem areas that could harbor financial misstatements. Issues to discuss
include selection of accounting principles; susceptibility to errors and fraud, including
known or suspected fraud; and how management controls and monitors fraud risks. Other
company employees to question might include operations or marketing managers or those
involved in significant and unusual transactions.
Another source of information is company discussion boards, apps, or websites, such
as that highlighted in the Auditing Insight that follows, where anonymous whistleblowers
can post information that management may not wish to disclose to auditors.
AUDITING INSIGHT
What do Apps Like “Blind” Mean for Auditors?
Blind is an app launched originally in the U.S. in 2015 that allows
employees to anonymously post about compensation, workplace
harassment, company policies, and more. Employees use company
email addresses to create an account with Blind, after which the
employee is verified and added to a specific company board that is
only visible by employees of that firm. Despite using a work email
address to sign up, Blind claims on their website to have a “patented
infrastructure” to guarantee the anonymity of posts. Blind has recently
begun accepting public domain names such as Gmail and Yahoo,
although accounts created with public domains will have limited
access to only topics channels, which include HR Issues, office life,
and so on. Blind is not the first app of its kind; it follows apps such as
Secret and Whisper, although it is unique in that it is more focused on
sharing “workplace” secrets.
In the past few years, Blind received a lot of press for exposing
sexual harassment issues and inappropriate accessing of customer
data within organizations. As auditors, what kind of information could
Blind tell us about management integrity at the client? Could accounting fraud be the next big trending topic on Blind? Auditors may want
to consider thinking out of the box and looking inside the apps as
another source of information about their clients.
Source: Sara O’Brien, “App lets workers talk about their companies anonymously,” CNN Business, February 12, 2018.
REVIEW CHECKPOINTS
4.14 What are some types of knowledge and understanding about a client’s business and industry that
an auditor is expected to obtain? What are some of the methods and sources of information for
understanding a client’s business and industry?
4.15 What is the purpose of performing preliminary analytical procedures in audit planning?
4.16 What are the five steps involved with the use of preliminary analytical procedures?
4.17 What are some of the ratios that can be used in preliminary analytical procedures?
4.18 When are analytical procedures required, and when are they optional?
OVERALL ASSESSMENT AND DOCUMENTATION
OF INHERENT RISK ASSESSMENT
LO 4-5
Explain how auditors
complete and document
the overall assessment of
inherent risk and the special
considerations given to fraud
risks and noncompliance with
laws and regulations.
The overall goal of the risk assessment process that has been described in this chapter
is to identify and then properly assess the risks of material misstatement that exist at
an audit client. Once the risk assessment process is complete, auditors have a basis to
plan and then implement an appropriate testing response for each of the assessed risks.
This process must be completed in a very detailed manner for each relevant assertion
related to each significant financial statement account and disclosure. In a sense, auditors need to think about how all of the risks identified at the company and the financial
statement level could affect risks of material misstatement at the relevant assertion level.
148 Part Two The Financial Statement Audit
If you recall from our discussion of the audit risk model, the overall risk of material
misstatement includes both inherent risk and control risk. We will discuss the assessment
of control risk and the effect of tests of control in Chapter 5. For now, we will focus on
the assessment of inherent risk, which needs to be evaluated without regard to the system
of internal controls.
The assessment of inherent risk needs to occur for each significant financial statement
account and disclosure. An account or disclosure is significant if there is a chance that
it could contain a material misstatement. When making this determination, the auditor
should evaluate both the quantitative and the qualitative risk factors associated with the
financial statement account or disclosure. When doing so, clearly the overall materiality
level is a critically important factor. However, it is possible that an account or disclosure could be significant even though its balance is below materiality. For example, an
account balance may be understated or a disclosure could be omitted, among a host of
other factors. Once each of the significant accounts and disclosures have been identified,
the auditor then needs to identify the relevant financial statement assertions.
Relevant Assertions
According to the professional standards (AS 2201.28), a financial statement assertion
is relevant if it has a “reasonable possibility of containing a misstatement that would
cause the financial statements to be materially misstated.” Therefore, based on all of the
risk assessment procedures performed, auditors must identify those assertions that have
a meaningful bearing on whether the account is fairly stated. For example, the valuation
assertion would only be relevant to the cash account if the audit client had cash accounts
that were denominated in a foreign currency. However, due to the nature of cash, it is
likely that the existence assertion would always be relevant.
Once each relevant assertion is identified for each significant account and disclosure, the
auditor must then identify the likely sources of misstatements that could cause the financial
statements to be materially misstated. It is important that this step is completed at a detailed
and almost granular level. To do so, the professional standards suggest that an auditor
should consider “what could go wrong” when thinking about each of the relevant financial
statement assertions. The comprehensive identification of “what could go wrong” for each
relevant financial statement assertion is the foundation for the risk assessment process and
ultimately the audit plan. Exhibit 4.12 provides a summary of this process.
Once the likely sources of misstatements that could cause the financial statements
to be materially misstated have been identified, the auditors’ next task is to assess the
types of risk present, the likelihood that material misstatement has occurred, the magnitude of the risk, and the pervasiveness of the potential for misstatement. This lays the
groundwork for the identification of internal controls that the client should have in place
EXHIBIT 4.12
What Could Go
Wrong?
Significant Account
Relevant Assertions
What Could Go Wrong?
Cash
Existence
The cash balance may not exist in the company’s bank
accounts.
Valuation
The cash balance that is held in foreign countries may not
have been translated properly.
Presentation and
disclosure
There may be restrictions on the cash balance that were
not properly disclosed.
Existence
Accounts receivable balances are inflated and don’t really
exist.
Completeness
Not all accounts receivable have been recorded.
Valuation
Receivables are not included in financial statements at the
appropriate amount, and valuation adjustments are not
recorded properly.
Accounts Receivable
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 149
to mitigate the various risks of material misstatement, which will be explored in detail in
Chapter 5.
Required Documentation
Auditors must carefully document the risk assessment process in the workpapers to provide a record of the procedures performed. Items that must be documented include the
following:
∙
∙
∙
∙
∙
∙
∙
∙
Discussions with engagement personnel.
Procedures to identify and assess risk.
Significant decisions during discussion.
Specific risks identified and audit team responses.
Explanation of why improper revenue recognition is not a risk, if so deemed.
Results of audit procedures, particularly procedures regarding management override.
Other conditions causing auditors to believe that additional procedures are required.
Communications to management and those charged with governance, such as the audit
committee.
Other Considerations
Fraud and Significant Risks
In addition to the risk assessment based on factors previously identified, auditing standards require several other fraud risk assessments to be made. First, auditors must presume that improper revenue recognition is a fraud risk. Another risk is that, despite the
existence of controls, management might override the controls through force of authority.
Because several major frauds were committed through year-end adjusting entries, auditors must examine journal entries and other adjustments (especially those made close
to year-end). If any significant and unusual accounting entries are identified, auditors
must evaluate the business rationale behind the significant transactions. Team members
gather information necessary to identify key fraud risk factors (red flags) indicating an
increased potential for fraud to occur.
In addition, while completing risk assessment procedures, auditors may determine
that an identified risk represents a significant risk. Significant risks are those risks that
require special audit consideration because of the nature of the risk or the likelihood
and potential magnitude of misstatement related to the risk. By definition, fraud risks
are significant risks. Auditors should specifically examine controls and design tests to
address significant risks. Auditors should evaluate quantitative and qualitative risk factors based on the likelihood and potential magnitude of misstatements. They should
consider whether the risk is related to recent significant economic, accounting, or other
developments; the complexity of transactions; whether the risk involves related parties;
the degree of complexity or judgment required and uncertainty involved; and whether the
risk involves significant transactions that are unusual or outside the company’s normal
course of business.
Auditors must next respond to the results of the risk assessments. Using the audit risk
model, the auditor adjusts detection risk for significant accounts and relevant disclosures. Additional considerations must be made for risks identified as significant risks.
For example, if the potential for fraud is high, auditors should include more experienced team members. Other responses include examining more transactions, performing extended procedures, including targeting tests toward higher-risk areas, performing
more tests of transactions at year-end rather than at interim points, and gathering higher
quality evidence. Finally, the auditors should use less predictable audit procedures such
as “surprise” inventory observations in which management is not told at which company warehouse locations auditors will show up to watch the client counting inventory or
extended procedures such as using larger sample sizes.
150 Part Two The Financial Statement Audit
Finally, when collecting evidence to support the financial statements throughout the
audit, auditors must remain vigilant against the potential for fraud. Discrepancies in the
accounting records, conflicting evidence, and missing documentation are all symptomatic of financial statement fraud. When such instances are identified, auditors must follow
up with management to identify the source of the problems. Management’s response is a
key source of evidence; vague, implausible, or inconsistent responses to inquiries can be
a key indicator of the pervasiveness of the fraud. Similarly, problematic or unusual reactions such as refusal to cooperate, hostility, or management delays in responding to the
auditors are often present in financial statement frauds. The evaluation for potential fraud
continues throughout the audit. Audit team members must be on the lookout for unusual
findings or events and, upon discovery, not simply write them off as isolated occurrences.
Communication of Fraud Risks
Auditors must always exercise significant care because accusations of fraud are taken
very seriously by audit clients. For this reason, if preliminary findings indicate fraud possibilities, auditors should enlist the cooperation of management and assist fraud examination professionals when bringing an investigation to a conclusion.
Standards for external auditors contain materiality thresholds related to auditors
reporting their knowledge of frauds. Auditors may consider some minor frauds clearly
inconsequential, especially when they involve misappropriations of assets by employees
at low organizational levels. Auditors should report these to management at least one
level above the people involved. The idea is that small matters can be kept in the management family. Having said this, fraud has often been compared to an iceberg: most of it can
be hidden from sight. For this reason, auditors should be extremely cautious in deciding
whether a fraud is “clearly inconsequential.”
On the other hand, frauds involving senior managers or employees with significant
internal control roles are never inconsequential and should be reported (along with any
frauds that cause material misstatement in the financial statements) directly to those
charged with governance, usually the entity’s audit committee of its board of directors.
All companies with securities traded on the exchanges (e.g., New York, American, and
NASDAQ) are required to have audit committees. Audit committees are composed of independent, outside members of the board of directors (those not involved in the company’s
day-to-day operations) who can provide a buffer between the audit firm and management.
Auditing standards set forth requirements intended to ensure that audit committees are
informed about the scope and results of the independent audit.9 External auditors are
required to make oral or written communications about other topics, including the discovery of fraud.
Auditors are normally required to keep client information confidential. However,
under AICPA auditing standards, limited disclosures to outside agencies of frauds and
clients’ noncompliance are permitted. If the audit firm resigns or is fired, the firm can
cite these matters in the letter attached to SEC Form 8-K, which requires explanation
of an organization’s change of auditors. The predecessor auditor may tell the successor auditor about the client when the successor makes the inquiries required by auditing
standards. Auditors must respond when answering a subpoena issued by a court or other
agency with authority. When performing work under generally accepted government
auditing standards (mandated by the Government Accountability Office), auditors are
required to report frauds and noncompliance to the client agency under the audit contract.
Noncompliance with Laws and Regulations
In addition to errors and fraud, a client’s noncompliance with laws and regulations can
cause financial statements to be materially misstated, and external auditors are advised
9
Professional standards have broadened communications to include groups that serve in a similar role for private companies and
refers to such groups as “those charged with governance.” Audit committees serve in this role for public companies.
Chapter 4
EXHIBIT 4.13
Indicators of
Noncompliance with
Laws and Regulations
The Audit Risk Model and Inherent Risk Assessment 151
The following can be indicators of a company’s noncompliance:
• Investigations, fines, or penalties
• Payments for unspecified services or loans to consultants, related parties, employees, or government
employees
• Excessive sales commissions or agent’s fees
• Purchases significantly above or below market
• Unusual payments in cash, cashiers’ checks to bearer, or transfers to numbered accounts
• Unusual transactions with companies in tax havens
• Payments to countries other than origination
• Inadequate audit trail
• Unauthorized or improperly recorded transactions
• Media comment
• Noncompliance cited in reports of examinations
• Failure to file tax returns or pay government duties or fees
to be aware of circumstances that could indicate noncompliance (Exhibit 4.13). Auditors are not required to be legal experts, but they must understand the legal and regulatory framework under which their client operates and how the entity is compliant with
that framework. Auditing standards deal with two types of noncompliance: (1) directeffect noncompliance, which produces direct and material effects on financial statement
amounts (e.g., violations of pension laws or government contract regulations for revenue
and expense recognition) that require the same assurance as errors and frauds (i.e., auditors must plan their work to provide reasonable assurance there are no material misstatements), and (2) indirect-effect noncompliance, which refers to violations of laws and
regulations that are not directly connected to financial statements (e.g., occupational
health and safety, food and drug administration regulations, environmental protection,
and equal employment opportunity).
For direct-effect noncompliance, an auditor should consider the laws and regulations
that are typically known by auditors to have a direct and potentially material effect on the
financial statements. A classic example would be the corporate income tax code. Under
tax law, the auditor knows that corporate taxes will impact both the accrued tax payable
account and the income tax expense account in the financial statements. Another example might involve regulations that dictate the amount of revenue to be recorded by a client
for a government contract. The Auditing Insight below provides yet another example of
a violation that led to misstated financial statements. As you consider these examples
and their direct effect on the financial statements, it is not surprising that, according to
AUDITING INSIGHT
That’s Some Costly In-flight Entertainment
In April 2018, Panasonic agreed to pay the Department of Justice
$137 million and another $143 million to the SEC for a total penalty of
$280 million related to violations of the Foreign Corrupt Practices Act
(FCPA). Panasonic Avionics Corp. (PAC), the in-flight entertainment
unit of Panasonic, hired a “consultant” who was in reality a foreign
official that worked at an airline in the Middle East, paying the official
over $875,000 over six years for little or no work to show for it. The
official, however, did have some influence over the choice of the inflight entertainment provider at the airline. As a result, PAC earned
more than $92 million in profits from portions of a contract with the
airline. In another “in-flight” mishap, PAC paid a consultant who was
employed with an unnamed U.S. airline for “inside” or other “sensitive” information about one of their competitors.
The turbulence didn’t stop there for PAC. On record, PAC appropriately terminated sales agents in their Asia region for not meeting
company compliance requirements. However, PAC continued to use
the employees secretly by rehiring them as subagents of another
company. This allowed PAC to hide more than $7 million in payments
to at least 13 subagents. The mischaracterization of payments made
to consultants and sales agents caused the parent company of Panasonic to falsify their accounting records, in violation of the FCPA.
Source: The United States Department of Justice: Office of Public Affairs,
“Panasonic Avionic Corporation Agrees to Pay $137 Million to Resolve
Foreign Corrupt Practices Act Charges,” April 30, 2018, “Panasonic agrees to
pay US government $280 million for anti-bribery violations,” CNN Business,
April 30, 2018.
152 Part Two The Financial Statement Audit
professional standards, auditors have the same responsibility for detecting material misstatements resulting from illegal acts that have a direct and material effect on the financial statements as they do for those caused by errors or fraud.
The responsibility for detecting indirect-effect noncompliance is not the same as the
responsibility to detect a material misstatement resulting from fraud, as an auditor cannot
possibly be expected to know all the relevant laws and regulations that affect their clients. For example, consider an audit client who has violated environmental regulations.
Ultimately, such a violation may result in a contingent liability being recorded in the
financial statements. However, the auditor may not become aware of the violation until
an investigation occurs or the resultant fine is reported to the auditor by the client. Thus,
auditor responsibility for detecting indirect-effect noncompliance is limited as follows: If
the auditor becomes aware of the possibility that an illegal act occurred that might have a
material effect on the financial statements, the auditor should perform procedures that are
directly focused on whether such an illegal act occurred. Otherwise, because the auditor
cannot be considered an expert in all laws and regulations, an auditor is not required to
provide assurance about indirect-effect noncompliance.
Of course, auditors must always respond to any type of noncompliance or suspected
noncompliance that is identified during the audit. To do so, they must gain an understanding of the nature and circumstances of the noncompliance and then evaluate the possible
effect on financial statements. The noncompliance should be discussed with management at a level above the person responsible for the noncompliance. If noncompliance
is “clearly inconsequential,” that may be the extent of the follow-up. Noncompliance or
suspected noncompliance having financial statement effects of more than this threshold
should be reported to those charged with governance such as the audit committee, and the
financial statements should contain adequate disclosures about the organization’s noncompliance. Discussion with the client’s legal counsel may also be necessary. External
auditors always have the option to withdraw from an engagement if management and
directors do not take satisfactory action under the circumstances.
The Private Securities Litigation Reform Act of 1995 imposed another reporting obligation. Under this law, when auditors believe an illegal act that is more than “clearly
inconsequential” has or may have occurred, the auditors must inform the organization’s
board of directors. When the auditors believe the illegal act has a material effect on the
financial statements, the board of directors has one business day to inform the SEC. If the
board decides not to inform the SEC, the auditors must (1) within one business day give
the SEC the same report they gave the board of directors or (2) resign from the engagement and, within one business day, give the SEC the report. If the auditors do not fulfill
this legal obligation, the SEC can impose a civil penalty (e.g., monetary fine) on them.
REVIEW CHECKPOINTS
4.19 What are some of the ways discussed that an auditor can respond to significant risks, including
high potential for fraud?
4.20 If fraud is discovered, to whom within the company should the auditor communicate that information?
4.21 How do the professional audit standards differ for (a) errors, (b) frauds, (c) direct-effect noncompliance, and (d) indirect-effect noncompliance?
AUDIT STRATEGY MEMORANDUM
LO 4-6
Describe the content and
purpose of an audit strategy
memorandum.
The audit plan discussed in Chapter 3, which summarizes all of the important planning
information and serves to document that auditors have followed generally accepted auditing standards, includes a description of the audit strategy memorandum. After assessing the
overall financial statement risks, determining which accounts are significant, and which
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 153
assertions are relevant to those accounts, the auditor should establish an overall audit strategy that sets the scope, timing, and direction for auditing each relevant assertion. The strategy is a result of the audit risk model. If auditors believe they can rely on company controls
to mitigate risks, they test the controls as described in Chapter 5. Depending on the results
of such tests, the auditors determine the nature, timing, and extent of substantive procedures. If the auditors identified fraud risk or other significant risks or noncompliance with
laws and regulations, they specifically address them in the strategy, including the possibility
of adding fraud specialists to the team or by expanding testing.
In establishing the overall audit strategy, the auditor should take into account (1) the
reporting objectives of the engagement and the nature of the communications required
by auditing standards, (2) the factors that are significant in directing the activities of
the engagement team, and (3) the results of preliminary engagement activities and the
auditor’s evaluation risk assessment. Also, various laws or regulations may require other
matters to be communicated. The strategy should outline the nature, timing, and extent
of resources necessary to perform the engagement. Planned tests of controls, substantive procedures, and other planned audit procedures required to be performed so that the
engagement complies with auditing standards should be documented with specific directions about the effect on the audit.
The audit strategy memorandum becomes the basis for preparing the audit plan that lists
the audit procedures to be completed for each relevant assertion related to each significant
account and disclosure identified on the audit engagement. Since the audit procedures to
be performed by the auditors are designed to gather sufficient appropriate evidence on
which to base their audit opinion on the financial statements, the professional auditing
standards require a written audit plan that documents the audit strategy on each engagement. An example of an audit strategy memorandum is presented in Appendix 4B.
REVIEW CHECKPOINT
4.22 What is the purpose of an audit strategy memorandum? What information should it contain?
Summary
According to AS 1101.03, “To form an appropriate basis for expressing an opinion on
the financial statements, the auditor must plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material misstatement due
to error or fraud. Reasonable assurance is obtained by reducing audit risk to an appropriately low level through applying due professional care, including obtaining sufficient
appropriate audit evidence.”10 In order to accomplish this objective, the auditor must take
the time to carefully assess audit risk on each audit engagement.
Audit risk is the risk assumed by the auditors that they could express an incorrect
opinion on financial statements that are materially misstated as a result of errors or fraud.
The audit risk model breaks down audit risk into three components: inherent risk, control
risk, and detection risk. Inherent risk involves the susceptibility of accounts to misstatement (assuming that no controls are present). Control risk addresses the effectiveness
(or lack thereof) of the controls in preventing or detecting misstatements. Inherent and
control risk are often combined and referred to as the risk of material misstatement.
Detection risk involves the effectiveness of the auditors’ procedures in detecting fraud
or misstatement. Solving for detection risk in the audit risk model yields guidance for the
preparation of the audit plan and the nature, timing, and extent of further audit procedures
to be performed.
Risk assessment starts with knowledge of the types of errors and frauds that can be perpetrated. It involves understanding the company, its industry, and its environment. Auditors assess risk by obtaining public and internal information, holding team brainstorming
10
PCAOB Release 2010-004. “Auditing Standard No. 14: Evaluating Audit Results.” August 5, 2010.
154 Part Two The Financial Statement Audit
discussions, performing analytical procedures, and inquiring of management, directors,
and key employees. The culmination of the auditor’s risk assessment process is the
identification of the risk of material misstatement for each relevant assertion for each
significant account and disclosure on each audit engagement. During the engagement,
auditors respond to identified risks by increasing the effectiveness of their procedures
and employing specialists and experienced personnel when necessary. Audit strategies
are the auditors’ summaries of their assessments and how they will respond to identified
risks, particularly significant risks, which include the risk of fraud. Audit strategies are
documented in the audit plan.
Key Terms
accounting estimates: The approximations of financial statement amounts often included in
financial statements, 138
analytical procedures: Procedures that allow auditors to evaluate financial information by
studying relationships among both financial and nonfinancial data. When used near the end of the
audit, analytical procedures allow auditors to assess the conclusions reached during the audit and
evaluate the overall financial statement presentation, 141
audit committee: A subcommittee of the board of directors that is generally composed of three
to six “outside” members of the organization’s board of directors, 150
audit risk: The risk that the auditor will express an inappropriate audit opinion when the financial
statements are materially misstated (e.g., giving an unmodified opinion on financial statements
that are misleading because of material misstatements the auditors failed to discover), 123
audit strategy memorandum: The scope, timing, and direction for auditing each relevant
assertion based on the results of the audit risk model, 152
business risks: Those factors, events, and conditions that could prevent the organization from
achieving its business objectives, 138
control risk: The likelihood that the client’s internal control policies and procedures fail to
prevent or detect a material misstatement, 125
defalcation: Another name for employee fraud and embezzlement, 132
detection risk: The likelihood that the auditors’ substantive procedures will fail to detect a
material misstatement that exists within an account balance or class of transactions, 125
direct-effect noncompliance: The violations of laws or government regulations by the entity
or its management or employees that produce direct and material effects on dollar amounts in
financial statements, 151
embezzlement: A type of fraud involving employees or nonemployees wrongfully taking money
or property entrusted to their care, custody, and control, often accompanied by false accounting
entries and other forms of lying and cover-up, 132
employee fraud: The use of fraudulent means to take money or other property from an
employer. It consists of three phases: (1) the fraudulent act, (2) the conversion of the money or
property to the fraudster’s use, and (3) the cover-up, 132
errors: The unintentional misstatements or omissions of amounts or disclosures in financial
statements, 132
extended procedures: The audit procedures used in response to heightened fraud awareness as
the result of the identification of significant risks, 149
fraud: The misrepresentation of facts that the individual knows to be false with the intention to
deceive, 128
fraudulent financial reporting: Intentional misstatements, including omissions of amounts or
disclosures in financial statements intended to deceive financial statement users, 132
horizontal analysis: The comparative analysis of year-to-year changes in balance-sheet and
income-statement accounts, 142
indirect-effect noncompliance: The violation of laws and regulations that does not directly
affect specific financial statement accounts or disclosures (e.g., violations relating to insider
securities trading, occupational health and safety, food and drug administration regulations,
environmental protection, and equal employment opportunity), 151
inherent risk: The probability that in the absence of internal controls, material errors or frauds
could enter the accounting system used to develop financial statements, 125
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 155
larceny: The simple theft of an employer’s property that is not entrusted to an employee’s care,
custody, or control, 132
management fraud: The deliberate fraud committed by management that injures investors and
creditors through materially misleading information, 132
misappropriation of assets: Asset theft from an entity. It is often perpetrated by employees in
small amounts and is sometimes referred to as employee fraud, 132
related parties: Those individuals or organizations that are closely tied to the audit client,
possibly through family ties or investment relationships, 136
relevant assertion: A financial statement assertion that has a reasonable possibility of containing
a misstatement or misstatements that would cause the financial statements to be materially
misstated, 124
risk of material misstatement (RMM): The combined inherent and control risk; in other words,
the likelihood that material misstatements may have entered the accounting system and not been
detected and corrected by the client’s internal control, 124
significant account or disclosure: An account or disclosure that has a reasonable possibility of
containing a material misstatement individually or when aggregated with others regardless of the
effect of controls, 124
significant risk: A risk of material misstatement that requires special audit consideration.
Fraud risk is always considered significant risk, 149
vertical analysis: The common-size analysis of financial statement amounts created by
expressing amounts as proportions of a common base such as sales for the income-statement
accounts or total assets for the balance-sheet accounts, 142
white-collar crime: Fraud perpetrated by people who work in offices and steal with a pencil or a
computer terminal. The contrast is with violent street crime, 132
Multiple-Choice
Questions for
Practice and
Review
All applicable questions are available
with Connect.
LO 4-2
4.23 Auditing standards do not require auditors of financial statements to
a. Understand the nature of errors and frauds.
b. Assess the risk of occurrence of errors and frauds.
c. Design audits to provide reasonable assurance of detecting errors and frauds.
d. Report all errors and frauds found to police authorities.
LO 4-2
4.24 If sales were overstated by recording a false credit sale at the end of the year, where could
you find the false “dangling debit”?
a. Inventory.
b. Cost of goods sold.
c. Bad debt expense.
d. Accounts receivable.
LO 4-2
4.25 One of the typical characteristics of management fraud is
a. Falsification of documents in order to misappropriate funds from an employer.
b. Victimization of investors through the use of materially misleading financial statements.
c. Illegal acts committed by management to evade laws and regulations.
d. Conversion of stolen inventory to cash deposited in a falsified bank account.
LO 4-2
4.26 Which of the following circumstances would most likely cause an audit team to perform
extended procedures?
a. Supporting documents are produced when requested.
b. The client made several large adjustments at or near year-end.
c. The company has recently hired a new chief financial officer after the previous one retired.
d. The company maintains several different petty cash funds.
156 Part Two The Financial Statement Audit
LO 4-3
4.27 The likelihood that material misstatements may have entered the accounting system and not
been detected and corrected by the client’s internal control is referred to as
a. Inherent risk.
b. Control risk.
c. Detection risk.
d. Risk of material misstatement.
LO 4-1
4.28 The risk of material misstatement is composed of which audit risk components?
a. Inherent risk and control risk.
b. Control risk and detection risk.
c. Inherent risk and detection risk.
d. Inherent risk, control risk, and detection risk.
LO 4-1
4.29 The risk that the auditors’ own testing procedures will lead to the decision that material misstatements do not exist in the financial statements when in fact such misstatements do exist is
a. Audit risk.
b. Inherent risk.
c. Control risk.
d. Detection risk.
LO 4-1
4.30 If tests of controls induce the audit team to change the assessed level of control risk for fixed
assets from low to high and audit risk and inherent risk remain constant, the acceptable level
of detection risk is most likely to
a. Change from moderate to high.
b. Change from low to moderate.
c. Change from high to moderate.
d. Be unchanged.
LO 4-2
4.31 Which of the following is a specific audit procedure that would be completed in response to
a particular fraud risk in an account balance or class of transactions?
a. Exercising more professional skepticism.
b. Carefully avoiding conducting interviews with people in areas that are most susceptible
to fraud.
c. Performing procedures such as inventory observation and cash counts on a surprise or
unannounced basis.
d. Studying management’s selection and application of accounting principles more carefully.
LO 4-4
4.32 Analytical procedures are generally used to produce evidence from
a. Confirmations mailed directly to the auditors by client customers.
b. Physical observation of inventories.
c. Relationships among current financial balances and prior balances, forecasts, and nonfinancial data.
d. Detailed examination of external, external-internal, and internal documents.
LO 4-4
4.33 Which of the following relationships between types of analytical procedures and sources of
information are most logical?
Type of Analytical Procedure
Source of Information
a.Comparison of current account balances with prior periods
Physical production statistics
b.Comparison of current account balances with expected
balances
Company’s budgets and forecasts
c.Evaluation of current account balances with relation to
predictable historical patterns
Published industry ratios
d.Evaluation of current account balances in relation to
nonfinancial information
Company’s own comparative financial
statements
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 157
LO 4-4
4.34 Analytical procedures can be used in which of the following ways?
a. As a means of overall review near the end of the audit.
b. As “attention-directing” methods when planning an audit at the beginning.
c. As substantive audit procedures to obtain evidence during an audit.
d. All of the above.
LO 4-4
4.35 Analytical procedures used when planning an audit should concentrate on
a. Weaknesses in the company’s internal control activities.
b. Predictability of account balances based on individual significant transactions.
c. Management assertions in financial statements.
d. Accounts and relationships that can represent specific potential problems and risks in
the financial statements.
LO 4-4
4.36 When a company that sells its products with a positive gross profit increases its sales by 15
percent and its cost of goods sold by 7 percent, the cost of goods sold ratio will
a. Increase.
b. Decrease.
c. Remain unchanged.
d. Not be able to be determined with the information provided.
LO 4-3
4.37 Auditors are not responsible for accounting estimates with respect to
a. Making the estimates.
b. Determining the reasonableness of estimates.
c. Determining that estimates are presented in conformity with GAAP.
d. Determining that estimates are adequately disclosed in the financial statements.
LO 4-6
4.38 An audit strategy memorandum contains
a. Specifications of auditing standards relevant to the financial statements being audited.
b. Specifications of procedures the auditors believe appropriate for the financial statements
under audit.
c. Documentation of the assertions under audit, the evidence obtained, and the conclusions
reached.
d. Reconciliation of the account balances in the financial statements with the account balances in the client’s general ledger.
LO 4-1
4.39 It is acceptable under generally accepted auditing standards for an audit team to
a. Assess risk of material misstatement at high and achieve an acceptably low audit risk by
performing extensive substantive tests.
b. Assess control risk at zero and perform a minimum of substantive testing.
c. Assess inherent risk at zero and perform a minimum of substantive testing.
d. Decide that audit risk can be high.
LO 4-5
4.40 Under the Private Securities Litigation Reform Act (the act), independent auditors are
required to first
a. Report in writing all instances of noncompliance with the act to the client’s board of
directors.
b. Report to the SEC all instances of noncompliance with the act they believe have a material
effect on financial statements if the board of directors does not first report to the SEC.
c. Report clearly inconsequential noncompliance with the act to the audit committee of the
client’s board of directors.
d. Resign from the audit engagement and report the instances of noncompliance with the
act to the SEC.
LO 4-3
4.41 When evaluating whether accounting estimates made by management are reasonable, auditors would be most interested in which of the following?
a. Key factors that are consistent with prior periods.
b. Assumptions that are similar to industry guidelines.
158 Part Two The Financial Statement Audit
c. Measurements that are objective and not susceptible to bias.
d. Evidence of a conservative systematic bias.
LO 4-3
4.42 An audit committee is
a. Composed of internal auditors.
b. Composed of members of the audit team.
c. Composed of members of a company’s board of directors who are not involved in the
day-to-day operations of the company.
d. A committee composed of persons not associating in any way with the client or the
board of directors.
LO 4-5
4.43 When auditors become aware of noncompliance with a law or regulation committed by client
personnel, the primary reason that the auditors should obtain a better understanding of the
nature of the act is to
a. Recommend remedial actions to the audit committee.
b. Evaluate the effect of the noncompliance on the financial statements.
c. Determine whether to contact law enforcement officials.
d. Determine whether other similar acts could have occurred.
LO 4-5
4.44 Which of the following statements best describes auditors’ responsibility for detecting a client’s
noncompliance with a law or regulation?
a. The responsibility for detecting noncompliance exactly parallels the responsibility for
errors and fraud.
b. Auditors must design tests to detect all material noncompliance that indirectly affect the
financial statements.
c. Auditors must design tests to obtain reasonable assurance that all noncompliance with
direct material financial statement effects is detected.
d. Auditors must design tests to detect all noncompliance that directly affects the financial
statements.
LO 4-4
4.45 Auditors perform analytical procedures in the planning stage of an audit for the purpose of
a. Deciding the matters to cover in an engagement letter.
b. Identifying unusual conditions that deserve more auditing effort.
c. Determining which of the financial statement assertions are the most important for the
client’s financial statements.
d. Determining the nature, timing, and extent of further audit procedures for auditing the
inventory.
LO 4-4
4.46 A primary objective of analytical procedures used in the final review stage of an audit is to
a. Identify account balances that represent specific risks relevant to the audit.
b. Gather evidence from tests of details to corroborate financial statement assertions.
c. Detect fraud that may cause the financial statements to be misstated.
d. Assist the auditor in evaluating the overall financial statement presentation.
(AICPA adapted)
LO 4-4
4.47 An auditor’s analytical procedures indicate a lower than expected return on an equity method
investment. This situation most likely could have been caused by
a. An error in recording amortization of the excess of the investor’s cost over the investment’s underlying book value.
b. The investee’s decision to reduce cash dividends declared per share of its common stock.
c. An error in recording the unrealized gain from an increase in the fair value of availablefor sale securities in the income account for trading securities.
d. A substantial fluctuation in the price of the investee’s common stock on a national stock
exchange.
(AICPA adapted)
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 159
LO 4-4
4.48 Which of the following risk types increase when an auditor performs substantive analytical
audit procedures for financial statement accounts at an interim date?
a. Inherent
b. Control
c. Detection
d. Sampling
(AICPA adapted)
LO 4-3
4.49 Which of the following matters relating to an entity’s operations would an auditor most
likely consider as an inherent risk factor in planning an audit?
a. The entity’s fiscal year ends on June 30.
b. The entity enters into significant derivative transactions as hedges.
c. The entity’s financial statements are generated at an outside service center.
d. The entity’s financial data is available only in computer-readable form.
(AICPA adapted)
LO 4-2
4.50 What is the primary objective of the fraud brainstorming session?
a. Determine audit risk and materiality.
b. Identify whether analytical procedures should be applied to the revenue accounts.
c. Assess the potential for material misstatement due to fraud.
d. Determine whether the planned procedures in the audit plan will satisfy the general
audit objectives.
(AICPA adapted)
Exercises and
Problems
LO 4-4
All applicable Exercises and Problems are available with
Connect.
4.51 Analytical Procedures and Interest Expense. Weyman Z. Wannamaker is the chief financial officer of Cogburn Company. He prides himself on being able to manage the company’s
cash resources to minimize the interest expense. Consequently, on the second business day
of each month, Weyman pays down or draws cash on Cogburn’s revolving line of credit at
First National Bank in accordance with his cash requirements forecast.
You are the auditor. You find the information on this line of credit in the following table.
You inquired at First National Bank and learned that Cogburn Company’s line of credit
agreement specifies payment on the first day of each month for the interest due on the previous month’s outstanding balance at the rate of “prime plus 1.5 percent.” The bank gave you
a report that showed the prime rate of interest was 8.5 percent for the first six months of the
year and 8.0 percent for the last six months.
Cogburn Company Line of Credit Balance
Date
Balance
Jan 1
Feb 1
Mar 1
Apr 1
May 1
Jun 1
Jul 1
Aug 1
Sep 1
Oct 1
Nov 1
Dec 1
$150,000
200,000
200,000
225,000
285,000
375,000
375,000
430,000
290,000
210,000
172,000
95,000
160 Part Two The Financial Statement Audit
Required:
a. Prepare an audit estimate of the amount of interest expense you expect to find as the balance of the interest expense account related to these notes payable.
b. Which of the types of analytical procedures did you use to determine this estimate?
c. Suppose that you find that the interest expense account shows expense of $23,650 related
to these notes. What could account for this difference?
d. Suppose that you find that the interest expense account shows expense of $24,400 related
to these notes. What could account for this difference?
e. Suppose that you find that the interest expense account shows expense of $25,200 related
to these notes. What could account for this difference?
LO 4-3
4.52 Appropriateness of Evidence and Related Parties. Johnson & Company, CPAs, audited
Guaranteed Savings & Loan Company. M. Johnson had the assignment of evaluating the collectability of real estate loans. Johnson was working on two particular loans: (1) a $4 million
loan secured by Smith Street Apartments and (2) a $5.5 million construction loan on Baker
Street Apartments now being built. The appraisals performed by Guaranteed Appraisal Partners Inc. showed values in excess of the loan amounts. On inquiry, Bumpus, the S&L vice
president for loan acquisition, stated, “I know the Smith Street loan is good because I myself
own 40 percent of the partnership that owns the property and is obligated on the loan.”
Johnson then wrote in the audit documentation: (1) the Smith Street loan appears collectible
as Bumpus personally attested to knowledge of the collectability as a major owner in the partnership obligated on the loan; (2) the Baker Street loan is assumed to be collectible because it is new
and construction is still in progress; and (3) the appraised values all exceed the loan amounts.
Required:
a. Do you perceive any problems with related-party involvement in the evidence used by
Johnson? Explain.
b. Do you perceive any problems with Johnson’s reasoning or the appropriateness of evidence used in that reasoning?
LO 4-3
4.53 Risk of Misstatement in Various Accounts. An auditor must identify the relevant assertions
about each significant financial statement account and disclosure and then gather evidence to
conclude whether a material misstatement exists for each assertion. The nature of each financial
statement account and disclosure contributes to the likelihood that a material misstatement exists.
a. In general, which accounts are most susceptible to overstatement? To understatement?
b. Why do you think a company could permit asset accounts to be understated?
c. Why do you think a company could permit liability accounts to be overstated?
d. Which direction of misstatement is most likely: income overstatement or income
understatement?
LO 4-3
4.54 Analysis of Accounting Estimates. Oak Industries, a manufacturer of radio and cable TV
equipment and an operator of subscription TV systems, had a multitude of problems. Subscription services in a market area, for which $12 million of cost had been deferred, were
being terminated, and the customers were not paying on time ($4 million receivables in
doubt). The chances are 50-50 that the business will survive another two years.
An electronic part turned out to have defects that needed correction. Warranty expenses
are estimated to range from $2 million to $6 million. The inventory of this part ($10 million) is obsolete, but $1 million can be recovered in salvage, or the parts in inventory can be
rebuilt at a cost of $2 million. (The selling price of the inventory on hand would then be $8
million, with 20 percent of the selling price required to market and ship the products, and the
normal profit is expected to be 5 percent of the selling price.) If the inventory were scrapped,
the company would manufacture a replacement inventory at a cost of $6 million, excluding
marketing and shipping costs and normal profit.
The company has defaulted on completion of a military contract, and the government is
claiming a $2 million refund. Company attorneys think the dispute might be settled for as
little as $1 million.
The auditors had previously determined that an overstatement of income before taxes of
$7 million would be material to the financial statements. These items were the only ones
left for audit decisions about possible adjustment. Management has presented the following
analysis for the determination of loss recognition:
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 161
Write off deferred subscription costs
Provide allowance for bad debts
Provide for expected warranty expense
Lower-of-cost-or-market inventory write-down
Loss on government contract refund
$ 3,000,000
4,000,000
2,000,000
2,000,000
????????
Required:
Prepare your own analysis of the amount of adjustment to the financial statements. Assume
that none of these estimates have been recorded yet, and give the adjusting entry you would
recommend. Give any supplementary explanations you believe necessary to support your
recommendation.
LO 4-4
4.55 Horizontal and Vertical Analysis. Horizontal analysis refers to changes of financial
statement numbers and ratios across two or more years. Vertical analysis refers to financial
statement amounts expressed each year as proportions of a base such as sales for the incomestatement accounts and total assets for the balance-sheet accounts. Exhibit 4.55.1 contains
Retail Company’s prior-year (audited) and current-year (unaudited) financial statements,
along with amounts and percentages of change from year to year (horizontal analysis) and
common-size percentages (vertical analysis). Exhibit 4.55.2 contains selected financial
ratios based on these financial statements. Analysis of these data can enable auditors to discern
relationships that raise questions about misleading financial statements.
EXHIBIT 4.55.1 Retail Company
Prior Year (Audited)
Assets:
Cash
Accounts receivable
Allowance doubt. accts.
Inventory
Total current assets
Fixed assets
Accum. depreciation
Total assets
Liabilities and equity:
Accounts payable
Bank loans, 11%
Accrued interest
Accruals and other
Total current liab.
Long-term debt, 10%
Total liabilities
Capital stock
Retained earnings
Total liabilities and equity
Statement of operations:
Sales (net)
Cost of goods sold
Gross margin
General expense
Depreciation
Operating income
Interest expense
Income taxes (40%)
Net income
“NA” means not applicable.
Current Year (Unaudited)
Change
Balance
Common Size
Balance
Common Size
Amount
Percent
$600,000
500,000
(40,000)
1,500,000
2,560,000
3,000,000
(1,500,000)
$4,060,000
14.78%
12.32
–0.99
36.95
63.05
73.89
–36.95
100.00%
$484,000
400,000
(30,000)
1,940,000
2,794,000
4,000,000
(1,800,000)
$4,994,000
9.69%
8.01
–0.60
38.85
55.95
80.10
–36.04
100.00%
$(116,000)
(100,000)
10,000
440,000
234,000
1,000,000
(300,000)
$934,000
19.33%
–
–20.00
–25.00
29.33
9.14
33.33
20.00
23.00%
$450,000
0
50,000
60,000
560,000
500,000
1,060,000
2,000,000
1,000,000
$4,060,000
11.08%
0.00
1.23
1.48
13.79
12.32
26.11
49.26
24.63
100.00%
$600,000
750,000
40,000
10,000
1,400,000
400,000
1,800,000
2,000,000
1,194,000
$4,994,000
12.01%
15.02
0.80
0.20
28.03
8.01
36.04
40.05
23.91
100.00%
$150,000
750,000
(10,000)
(50,000)
840,000
(100,000)
740,000
0
194,000
934,000
33.33%
NA
–20.00
–83.33
150.00
–20.00
69.81
0
19.40
23.00%
$9,000,000
6,296,000
2,704,000
2,044,000
300,000
360,000
50,000
124,000
$186,000
100.00%
69.96
30.04
22.7
3.33
4.00
0.56
1.38
2.07%
$8,100,000
5,265,000
2,835,000
2,005,000
300,000
530,000
40,000
196,000
$294,000
100.00%
65.00
35.00
24.75
3.70
6.54
0.49
2.42
3.63%
$(900,000)
(1,031,000)
131,000
(39,000)
0
170,000
(10,000)
72,000
$108,000
10.00%
–
–16.38
4.84
–1.91
0
47.22
–20.00
58.06
58.06%
162 Part Two The Financial Statement Audit
EXHIBIT 4.55.2
Prior Year
(audited)
Retail Company
Current Year
(unaudited)
Percent
Change
Balance-sheet ratios:
Current ratio
Days’ sales in receivables
4.57
2.0
18.40
16.44
−10.63
−56.34%
Doubtful accounts ratio
0.08
0.08
−6.25
Days’ sales in inventory
85.77
132.65
54.66
0.35
0.56
40.89
19.57
21.89
11.89
Debt/equity ratio
Operations ratios:
Receivables turnover
4.20
2.71
−35.34
Cost of goods sold/sales
Inventory turnover
69.96%
65.00%
−7.08
Gross margin %
30.04%
35.00%
16.49
Return on equity
6.61%
9.80%
48.26
Required:
Study the data in Exhibits 4.55.1 and 4.55.2. Write a memorandum identifying and explaining potential problem areas where misstatements in the current-year financial statements
could exist. Additional information about Retail Company is as follows:
∙ The new bank loan, obtained on July 1 of the current year, requires maintenance of a 2:1
current ratio.
∙ Principal of $100,000 plus interest on the 10 percent long-term note obtained several
years ago in the original amount of $800,000 is due each January 1.
∙ The company has never paid dividends on its common stock and has no plans for a
dividend.
LO 4-3
4.56 Analysis and Judgment. As part of your regular year-end audit of a public client, you
must estimate the probability of success of its proposed new product line. The client has
experienced financial difficulty during the last few years and, in your judgment, a successful
introduction of the new product line is necessary for the client to remain a going concern.
Five elements are necessary for the successful introduction of the product: (1) successful
labor negotiations before the strike deadline between the construction firms contracted to build
the necessary addition to the present plant and the building trades unions, (2) successful defense
of patent rights, (3) product approval by the Food and Drug Administration (FDA), (4) successful negotiation of a long-term raw material contract with a foreign supplier, and (5) successful
conclusion of distribution contract talks with a large national retail distributor.
In view of the circumstances, you contact experts who have provided your public accounting firm with reliable estimates in the past. The labor relations expert estimates that there is
an 80 percent chance of successfully concluding labor negotiations. Legal counsel advises
that there is a 90 percent chance of successfully defending patent rights. The expert on FDA
product approvals estimates a 95 percent chance of new product approval. The experts in the
remaining two areas estimate the probability of successfully resolving (1) the raw materials
contract and (2) the distribution contract talks to be 90 percent in each case. Assume that
these estimates are reliable.
Required:
What is your assessment of the probability of successful product introduction? (Hint: You
can assume that each of the five elements is independent of the others.)
LO 4-4
4.57 Analytical Procedures. Kelly Griffin, an audit manager, had begun preliminary analytical
procedures of selected statistics related to the Majestic Hotel. Her objective was to obtain an
understanding of the hotel’s business in order to draft a preliminary audit plan. She wanted
to see whether she could detect any troublesome areas or questionable accounts that could
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 163
require special audit attention. Unfortunately, Griffin caught the flu and was hospitalized.
From her sickbed, she sent you the schedule she had prepared (Exhibit 4.57.1) and has asked
you to write a memorandum identifying areas of potential misstatements or other matters
that the preliminary audit plan should cover.
EXHIBIT 4.57.1
Analytical Procedure
Documentation
Majestic
(percent)
Industry
(percent)
Rooms
60.4%
63.9%
Food and beverage
35.7
32.2
3.9
3.9
Rooms department
15.2
17.3
Food and beverage
34.0
27.2
Administrative and general
8.0
8.9
Management fee
3.3
1.1
Advertising
2.7
3.2
Real estate taxes
3.5
3.2
15.9
13.7
17.4
25.4
18.9
15.7
Laundry
1.1
3.7
Other
5.3
7.6
74.8
73.0
Cost of food sold
42.1
37.0
Food gross profit
57.9
63.0
Sales:
Other
Costs:
Utilities, repairs, maintenance
Profit per sales dollar
Rooms dept. ratios to room sales dollars:
Salaries and wages
Profit per rooms sales dollar
Food/beverage (F/B) ratios to F/B sales dollars:
Cost of beverages sold
43.6
29.5
Beverages gross profit
56.4
70.5
Combined gross profit
57.7
64.6
Salaries and wages
39.6
32.8
—
2.7
13.4
13.8
4.7
15.3
Average annual percent of rooms occupied
62.6
68.1
Average room rate per day
$160
$120
200
148
Music and entertainment
Other
Profit per F/B sales dollar
Number of rooms available per day
Required:
Write a memorandum describing Majestic’s operating characteristics compared to the industry average insofar as you can tell from the statistics. Do these analytical procedures identify
any areas that could represent potential misstatements in the audit?
LO 4-4
4.58 Preliminary Analytical Procedures. Dunder-Mifflin Inc. wanted to expand its manufacturing and sales facilities. The company applied for a loan from First Bank, presenting the prioryear audited financial statements and the forecast for the current year shown in Exhibit 4.58.1.
(Dunder-Mifflin Inc.’s fiscal year-end is December 31.) The bank was impressed with the
164 Part Two The Financial Statement Audit
business prospects and granted a $1,750,000 loan at 8 percent interest to finance working
capital and the new facilities that were placed in service July 1 of the current year. Because
Dunder-Mifflin Inc. planned to issue stock for permanent financing, the bank made the loan
due on December 31 of the following year. Interest is payable each calendar quarter on
October 1 of the current year and January 1, April 1, July 1, October 1 of the following year.
EXHIBIT 4.58.1
Prior Year
(audited)
Dunder-Mifflin Inc.
Forecast
Current Year
(unaudited)
Revenue and Expense:
Sales (net)
$9,000,000
$9,900,000
$9,720,000
Cost of goods sold
6,296,000
6,926,000
7,000,000
Gross margin
2,704,000
2,974,000
2,720,000
General expense
2,044,000
2,000,000
2,003,000
300,000
334,000
334,000
Operating income
360,000
640,000
383,000
Interest expense
60,000
110,000
75,000
Income taxes (40%)
120,000
212,000
123,200
Net income
180,000
318,000
184,800
Cash
600,000
880,000
690,800
Accounts receivable
500,000
600,000
900,000
Allowance for doubtful accounts
(40,000)
(48,000)
(90,000)
1,500,000
1,500,000
1,350,000
2,560,000
2,932,000
2,850,800
3,000,000
4,700,000
4,500,000
Accumulated depreciation
(1,500,000)
(1,834,000)
(1,834,000)
Total assets
$ 4,060,000
$5,798,000
$5,516,800
$450,000
$450,000
$330,000
0
1,750,000
1,750,000
60,000
40,000
40,000
50,000
60,000
32,000
$560,000
$2,300,000
$2,152,000
Long-term debt, 10%
600,000
400,000
400,000
Total liabilities
$1,160,000
$2,700,000
$2,552,000
2,000,000
2,000,000
2,000,000
Retained earnings
900,000
1,098,000
964,800
Total liabilities and equity
$4,060,000
$5,798,000
$ 5,516,800
Depreciation
Assets:
Inventory
Total current assets
Fixed assets
Liabilities and Equity:
Accounts payable
Bank loans, 8%
Accrued interest
Accruals and other
Total current liabilities
Capital stock
The auditors’ interviews with Dunder-Mifflin Inc. management near the end of the current year produced the following information: The facilities did not cost as much as previously anticipated. However, sales were slow and the company granted more liberal return
privilege terms than in the prior year. Officers wanted to generate significant income to
impress First Bank and to preserve the company dividend ($120,000 paid in the prior year).
The production managers had targeted inventory levels for a 4.0 turnover ratio and were
largely successful even though prices of materials and supplies had risen about 2 percent
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 165
relative to sales dollar volume. The new facilities were depreciated using a 25-year life from
the date of opening.
Dunder-Mifflin Inc. has now produced the current-year financial statements (Exhibit 4.58.1,
Current Year column) for the auditors’ work on the current audit.
Required:
Perform preliminary analytical procedures on the current-year unaudited financial statements
for the purpose of identifying accounts that could contain errors or frauds. Use your knowledge of Dunder-Mifflin Inc. and the forecast in Exhibit 4.58.1. Calculate comparative and
common-size financial statements as well as relevant ratios. (Assume that the market value
of the equity for the company is $3 million.) Once your calculations are complete, identify
the accounts that could be misstated.
LO 4-1
4.59 Audit Risk Model. Audit risks for particular accounts and disclosures can be conceptualized in the model: Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk
(DR). Use this model as a framework for considering the following situations and deciding
whether the auditor’s conclusion is appropriate.
a. Paul, CPA, has participated in the audit of Tordik Cheese Company for five years, first
as an assistant accountant and the last two years as the senior accountant. Paul has never
seen an accounting adjustment recommended and believes the inherent risk must be zero.
b. Hill, CPA, has just (November 30) completed an exhaustive study and evaluation of the
internal controls of Edward Foods Inc. (fiscal year ending December 31). Hill believes
the control risk must be zero because no material errors could possibly slip through the
many error-checking procedures and review layers that Edward used.
c. Fields, CPA, is lazy and does not like audit jobs in Philadelphia. On the audit of Philly
Manufacturing Company, Fields decided to use substantive procedures to audit the yearend balances very thoroughly to the extent that the risk of failing to detect material errors
and irregularities should be very low. Fields gave no thought to inherent risk and conducted only a very limited review of Philly’s internal control system.
d. Shad, CPA, is nearing the end of a “dirty” audit of Allnight Protection Company. All of Allnight’s accounting personnel resigned during the year and were replaced by inexperienced
people. The comptroller resigned last month in disgust. The journals and ledgers were a
mess because the one computer specialist was hospitalized for three months during the
year. “Thankfully,” Shad thought, “I’ve been able to do this audit in less time than last
year when everything was operating smoothly.”
(AICPA adapted)
LO 4-3
4.60 Auditing an Accounting Estimate. Suppose management estimated the market valuation
of some obsolete inventory at $99,000; this inventory was recorded at $120,000, which
resulted in recognizing a loss of $21,000. The auditors obtained the following information:
The inventory in question could be sold for an amount between $78,000 and $92,000. The
costs of advertising and shipping could range from $5,000 to $7,000.
Required:
a. Would you propose an audit adjustment to the management estimate? Prepare the appropriate accounting entry.
b. If management’s estimate of inventory market (lower than cost) had been $80,000, would
you propose an audit adjustment? Prepare the appropriate accounting entry.
LO 4-1
4.61 Risk Assessment. This question consists of a number of items pertaining to an auditor’s risk
analysis for a company. Your task is to tell how each item affects overall audit risk—that
is, the probability of issuing an unmodified audit report on materially misleading financial
statements.
Bond, CPA, is considering audit risk at the financial statement level in planning the
audit of Toxic Waste Disposal (TWD) Company’s financial statements for the year ended
December 31, 2023. TWD is a privately owned company that contracts with municipal
governments to remove environmental wastes. Audit risk at the overall financial statement
level is influenced by the risk of material misstatements, which may be indicated by a
combination of factors related to management, the industry, and the company.
166 Part Two The Financial Statement Audit
Required:
Based only on the following information, indicate whether each of the following factors
(items 1 through 15) would most likely increase overall audit risk, decrease overall audit risk,
or have no effect on overall audit risk. Discuss your reasoning.
Company Profile
1. This was the first year TWD operated at a profit since 2020 because the municipalities
received increased federal and state funding for environmental purposes.
2. TWD’s board of directors is controlled by Mead, the majority stockholder, who also acts
as the chief executive officer.
3. The internal auditor reports to the controller, and the controller reports to Mead.
4. The accounting department has experienced a high rate of turnover of key personnel.
5. TWD’s bank has a loan officer who meets regularly with TWD’s CEO and controller to
monitor TWD’s financial performance.
6. TWD’s employees are paid biweekly.
7. Bond has audited TWD for five years.
Recent Developments
8. During 2023, TWD changed the method of preparing its financial statements from the
cash basis to the accrual basis under generally accepted accounting principles.
9. During 2023, TWD sold one-half of its controlling interest in United Equipment Leasing
(UEL) Co. TWD retained significant interest in UEL.
10. During 2023, the state dropped litigation filed against TWD in 2019 alleging that the
company discharged pollutants into state waterways. Loss contingency disclosures that
TWD included in prior-years’ financial statements are being removed for the 2023
financial statements.
11. During December 2023, TWD signed a contract to lease disposal equipment from
an entity owned by Mead’s parents. This related-party transaction is not disclosed in
TWD’s notes to its 2023 financial statements.
12. During December 2023, TWD completed a barter transaction with a municipality. TWD
removed waste from a municipally owned site and acquired title to another contaminated
site at below-market price. TWD intends to service this new site in 2024.
13. During December 2023, TWD increased its casualty insurance coverage on several
pieces of sophisticated machinery from historical cost to replacement cost.
14. Inquiries about the substantial increase in revenue that TWD recorded in the fourth
quarter of 2023 disclosed a new policy. TWD guaranteed several municipalities that it
would refund the federal and state funding paid to it if any municipality fails federal or
state site cleanup inspection in 2024.
15. An initial public offering of TWD’s stock is planned for late 2024.
LO 4-2
4.62 Auditing Standards Review. Management fraud (fraudulent financial reporting) is not the
expected norm, but it happens from time to time. In the United States, several cases have
been widely publicized. They happen when motives and opportunities overwhelm managerial integrity.
a. What distinguishes management fraud from a defalcation?
b. What are an auditor’s responsibilities under auditing standards to detect management
fraud?
c. What are some characteristics of management fraud that an audit team should consider to
fulfill the responsibilities under auditing standards?
d. What factors might an audit team notice that should heighten the concern about the existence of management fraud?
e. Under what circumstances might an audit team have a duty to disclose management’s
frauds to parties other than the company’s management and its board of directors?
(AICPA adapted)
LO 4-4
4.63 Analytical Procedures: Ratio Relationships. The following situations represent errors and
frauds that could occur in financial statements.
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 167
Required:
State how the ratio in question would compare (higher, equal, or lower) to what the ratio
should have been had the error or fraud not occurred.
a. The company recorded fictitious sales with credits to sales revenue accounts and debits to
accounts receivable. Inventory was reduced, and cost of goods sold was increased for the profitable “sales.” Is the current ratio higher than, equal to, or lower than what it should have been?
b. The company recorded cash disbursements by paying trade accounts payable but held the
checks past the year-end date, meaning that the “disbursements” should not have been
shown as credits to cash and debits to accounts payable. Is the current ratio higher than,
equal to, or lower than what it should have been? Consider cases in which the current
ratio before the improper “disbursement” recording was (1) higher than 1:1, (2) equal to
1:1, and (3) lower than 1:1.
c. The company uses a periodic inventory system for determining the balance-sheet amount
of inventory at year-end. Very near the year-end, merchandise was received, placed in the
stockroom, and counted, but the purchase transaction was neither recorded nor paid until
the next month. What was the effect of this on inventory, cost of goods sold, gross profit,
and net income? How were these ratios affected compared to what they would have been
without the error: current ratio [remember three possible cases from part (b)], gross margin ratio, cost of goods sold ratio, inventory turnover, and receivables turnover?
d. The company is hesitant to write off customer accounts receivable even though the financial vice president makes entirely adequate provision for uncollectible amounts in the
allowance for bad debts. The gross receivables and the allowance both contain amounts
that should have been written off long ago. How are these ratios affected compared to
what they would have been if the receivables had been properly written off: current ratio,
days’ sales in receivables, doubtful account ratio, receivables turnover, return on beginning equity, and working capital/total assets?
e. Since last year, the company has reorganized its lines of business and placed more
emphasis on its traditional products while selling off some marginal businesses merged
by the previous management. Total assets are 10 percent less than they were last year, but
working capital has increased. Retained earnings remained the same because the disposals created no gains, and the net income after taxes is still near zero, which is the same as
last year. Earnings before interest and taxes (EBIT) remained the same, a small positive
EBIT. The total market value of the company’s equity has not increased, but that is better
than the declines of the past several years. Proceeds from the disposals have been used
to retire long-term debt. Net sales have decreased 5 percent because the sales’ decrease
resulting from the disposals has not been overcome by increased sales of the traditional
products. Is the discriminant Z-score of the current year higher or lower than the one of
the prior year? (See Appendix 4A for the Z-score formula.)
LO 4-6
4.64 Audit Strategy Memorandum. The auditor should establish an overall audit strategy that
sets the scope, timing, and direction of the audit and guides the development of the audit
plan. In establishing the overall audit strategy, the auditor should develop and document an
audit plan that includes a description of (a) the planned nature, timing, and extent of the risk
assessment procedures, (b) the planned nature, timing, and extent of tests of controls and
substantive procedures, and (c) other planned audit procedures that must be performed so
that the engagement complies with auditing standards.
Required:
Select a public company and determine a significant risk that could affect its financial statements. (Hint: Go to the EDGAR database at www.sec.gov and select the company’s form
10-K. The 10-K will have a list of risk factors the company faces.) Describe the risk and
how it could affect the financial statements, including what assertions might be misstated.
Prepare an audit strategy memorandum for the risk describing what controls the company
might use to mitigate the risk, how you could test the controls, and what substantive procedures you might use to determine whether there is a misstatement. Because this is early in
your auditing class, do not worry about specific procedures; just be creative and think about
a general strategy an auditor might use.
LO 4-2
4.65 Errors and Frauds. Give an example of an error or fraud that would misstate financial statements to affect the accounts as follows, taking each case independently. (Note: “Overstate”
168 Part Two The Financial Statement Audit
means the account has a higher value than would be appropriate under GAAP and “understate” means it has a lower value.)
a. Overstate one asset; understate another asset.
b. Overstate an asset; overstate stockholders’ equity.
c. Overstate an asset; overstate revenue.
d. Overstate an asset; understate an expense.
e. Overstate a liability; overstate an expense.
f. Understate an asset; overstate an expense.
g. Understate a liability; understate an expense.
LO 4-5
4.66 Compliance with Laws and Regulations. Audit standards distinguish auditors’ responsibility for planning procedures for detecting noncompliance with laws and regulations
having a direct effect on financial statements versus planning procedures for detecting
noncompliance with laws and regulations that do not have a direct effect on financial
statements.
Required:
a. What are the requirements for auditors to plan procedures to detect direct-effect compliance versus indirect-effect compliance?
b. For each of the following instances of noncompliance, explain why they are either directeffect (D) or indirect-effect (I) noncompliance:
1. A manufacturer inflates expenses on its corporate tax return.
2. A retailer pays men more than women for performing the same job.
3. A coal mining company fails to place proper ventilation in its mines.
4. A military contractor inflates the overhead applied to a combat vehicle.
5. An insurance company fails to maintain required reserves for losses.
6. An exporter pays a bribe to a foreign government official so that government will buy
its products.
7. A company backdates its executive stock options to lower the exercise price.
8. A company fails to fund its pension plan in accordance with ERISA.
LO 4-5
4.67 Identifying Significant Accounts – Auditors gather information from a variety of sources,
including 10-K reports, to help assess risk and identify significant accounts and relevant
assertions.
Required:
You are performing risk assessment procedures for Apple Inc. One source of information
you will use to help assess risk and identify significant accounts is Apple’s most recent 10-K
filing. Go to the sec.gov website and search for Apple Inc.’s most recent 10-K filing. Read
through the Item 1, Business, and Item 1A, Risk Factors, sections. Based off this discussion,
what accounts do you believe might be susceptible to misstatement and why?
LO 4-4
4.68 Preparing and Analyzing an Aging Schedule — Using IDEA. For this exercise, your
client, Bright IDEAs Inc., has provided you with a listing of sales invoices. To test whether
the client appears to have a receivables collectability problem, the auditor must complete a
series of related steps:
1. Import the client’s database of sales invoices. You may have already completed this step
in Chapter 3.
2. Perform an aging analysis by following the instructions in the IDEA Workbook.
Required Data and additional instructions available on McGraw-Hill Connect.
Required:
Complete the preceding steps and answer the following questions:
a. What percentage of customers have accounts that are aged greater than 90 days?
b. What percentage of customer balances are aged greater than 90 days?
c. What effects would the findings in parts (a) and (b) have on the auditor’s assessment of
the risk of material misstatement? What accounts and assertions are most likely influenced by these findings?
Chapter 4
LO 4-4
The Audit Risk Model and Inherent Risk Assessment 169
4.69 Summarizing Obsolete Inventory — Using IDEA. For this exercise, your client, Bright
IDEAs Inc., has provided you with a listing of inventory as of year end. To analyze the
amount of obsolete inventory, as reported by the client, the auditor must complete a series of
related steps:
1. Import the client’s database of inventory on hand. You may have already completed this
step in Chapter 3.
2. Summarize items identified as obsolete by the client by following the instructions in the
IDEA Workbook.
Required Data and additional instructions available on McGraw-Hill Connect.
Complete the preceding steps and answer the following questions:
a. What percentage of the dollar amount of the client’s inventory has been identified as
obsolete?
b. What effects would the findings in part (a) have on the auditor’s assessment of the risk of
material misstatement? What accounts and assertions are most likely influenced by these
findings?
LO 4-4
4.70 Analyzing Profit Margins — Using IDEA. For this exercise, your client, Bright IDEAs
Inc., has provided you with a listing of inventory as of year end, which includes current selling prices. To test whether profit margins appear adequate to justify the inventory valuation
provision, the auditor must complete a series of related steps:
1. Import the client’s database of inventory on hand. You may have already completed this
step in Chapter 3 or Exercise 4.69.
2. Create an analysis of selling price changes by following the instructions in the IDEA
Workbook.
3. Create an analysis of profit margins by following the instructions in the IDEA Workbook.
Required Data and additional instructions available on McGraw-Hill Connect.
Required:
Complete the preceding steps and answer the following questions:
a. What percentage of inventory items have price movements in excess of 50%? How many
of these items experienced price increases? How many experienced price decreases?
Which direction of change would be most concerning to the auditor?
b. What percentage of items have negative profit margins?
c. What effects would the findings in part (a) and (b) have on the auditor’s assessment of the
risk of material misstatement? What accounts and assertions are most likely influenced
by these findings?
Apollo Shoes
Preliminary Analytical Procedures
You are a recently promoted senior (in charge) auditor for Anderson, Olds, and Watershed and have been assigned to the engagement team of a new audit client, Apollo Shoes
Inc. You have been asked to perform preliminary analytical procedures in an effort to
help identify significant accounts and relevant assertions and assess risk of material misstatement. Detailed instructions for performing the preliminary analytical procedures, as
well as working papers, can be found in Connect.
Apollo Shoes
Audit Risk Model
You are a recently promoted senior (in charge) auditor for Anderson, Olds, and Watershed
and have been assigned to the engagement team of a new audit client, Apollo Shoes Inc.
You have been asked to evaluate a set of facts to determine the relationship of each with
inherent or control risk, in an effort to determine the impact on detection risk. Detailed
instructions for performing the audit risk case, as well as working papers, can be found
in Connect.
Appendix 4A
Selected Financial Ratios
Balance-Sheet Ratios
Current ratio
Days’ sales in receivables
Formula*
Current assets  ​​
_______________
  
​​    
Current liabilities
Ending net receivables
​​ ___________________
  
  
 ​​
Doubtful account ratio
Credit sales / 360
Allowance
for doubtful accounts
___________________________
​​    
  
 ​​
Ending gross receivables
Days’ sales in inventory
Ending inventory
​​ ___________________
  
   ​​
Cost of goods sold / 360
Debt-to-equity ratio
Current liabilities and long-term debt
_______________________________
   
​​ 
  
 ​​
Stockholder equity
Operations Ratios
Receivables turnover
Inventory turnover
Cost of goods sold ratio
Credit sales
​​ ___________________
  
  
 ​​
Ending net receivables
Cost of goods sold
________________
​​   
   ​​
Ending inventory
Cost of goods sold
________________
​​   
 ​​
Net sales
Gross margin ratio
Net sales − Cost of goods sold
_________________________
​​    
  
 ​​
Net sales
Return on stockholder equity
Net income
_________________________________
​​   
   
 ​​
Stockholder equity (​​​beginning balance​)​​
Financial Distress Ratios (Altman)
The discriminant Z-score is an index of a company’s financial health. The higher the score, the healthier the company. The lower the score, the closer
financial failure approaches. The score that predicts financial failure is a matter of dispute. Research suggests that companies with scores above 3.0
never go bankrupt. Generally, companies with scores below 1.0 experience financial difficulty of some kind. The score can be a negative number.
(X1) Working capital/Total assets
(X2) Retained earnings/Total assets
Current assets
− Current
liabilities
____________________________
​​    
  
 ​​
Total assets
Retained earnings (​​​ending​)​​
_______________________
  
​​ 
  
 ​​
Total assets
(X3) Earnings before interest and taxes/Total assets
Net income + Interest expense + Income tax expense
​​ ___________________________________________
    
   
 ​​
Total assets
(X4) Market value of equity/Total debt
Market value of common and preferred stock
​​ _____________________________________
    
   
 ​​
Current liabilities and long-term debt
(X5) Net sales/Total assets
Discriminant Z-score (Altman)
___________
​​  Net sales  ​​
Total assets
1.2 * X1 + 1.4 * X2 + 3.3 * X3 + 0.6 * X4 + 1.0 * X5
*These ratios are shown to be calculating using year-end rather than year-average numbers for balances such as accounts receivable and inventory. Other accounting and finance reference
books could contain formulas using year-average numbers. As long as no dramatic changes have occurred during the year, the year-end numbers can have much audit relevance because they
reflect the most current balance data. For comparative purposes, the ratios should be calculated on the same basis for all years being compared.
Appendix 4B
Sample Audit Memorandum
INTEGRATED CARE HEALTH INSURANCE INC AUDIT
MEMORANDUM (ABRIDGED)
OVERVIEW
Integrated Care Health Insurance Inc. (Integrated) offers a variety of valuable products
and services ranging from medical, dental, and behavioral health coverage to life insurance
and disability plans as well as management services for Medicaid plans. Purchasing health
coverage ensures future security with respect to high and unexpected costs of health care
for individuals, families, and businesses. Benefits offered by Integrated include not only
coverage for medical expenses but access to a wide network of doctors, hospitals, and
specialists.
PRODUCT PRICING
Integrated uses a special process to calculate premiums charged for services offered.
The method involves pooling customers with similar characteristics into a single risk group
based on age, gender, medical history, lifestyle, and other factors such as benefits desired,
administration costs, and tax obligations. After Integrated pools customers into their
respective risk groups, Integrated has the responsibility to balance projected future costs
with premiums charged. The most important factor in determining financial success for
Integrated is its ability to predict trends and future medical costs. Therefore, faulty forecasts
can lead to huge risks and downfalls for Integrated if expectations fall short of actual results.
Competing in an industry where new technology and medical breakthroughs are discovered
almost daily means that sustaining profitability is an increasing concern.
GOVERNMENT INFLUENCES
Along with a great deal of risk being inherent in its business, Integrated operations are
impacted by the U.S. economy and unemployment rate. Additionally, the health care reform
legislation passed in 2023 has caused significant changes to many facets of the industry’s
operation. Given that the new legislation requires coverage for those who are currently
uninsured, the insurance companies acquired millions of new customers virtually overnight.
Health care reform is a constant source of debate in the government, therefore it is uncertain
how future legislation will impact the industry.
CUSTOMERS, SUPPLIERS, AND COMPETITORS
Integrated’s customers include employer groups, self-employed individuals, part-time and
hourly workers, governmental organizations, labor groups, and immigrants. Although there
are a considerable number of companies competing, experts have noted a trend that competition is virtually disappearing due to the domination of markets by only a few providers.
In a study published by the American MedicalAssociation, 24 of 43 states have one or
two insurers constituting a market share of a staggering 70 percent.11 These statistics may
suggest that there is essentially no competition in the market. However, 1,300 companies
are competing in the health insurance industry, and Integrated faces significant competition
in highly concentrated markets. In addition to the competition and governmental influences
already present, Integrated is also facing competition from hospitals that play a pertinent
role in determining the amounts billed for services provided.
11
D. W. Emmons, J. R. Guardado, C. K. Kane, “Competition in Health Insurance: A Comprehensive Study of U.S. Markets, 2010 Update,”
American Medical Association.
172 Part Two The Financial Statement Audit
RISK ASSESSMENT
The following analysis provides an overview of the identified risks and expected controls
for Integrated for one accounting cycle.
REVENUE AND COLLECTION CYCLE
Risks
Due to the contract nature of the insurance industry, revenue recognition is not a high-risk
area when compared to other industries. Integrated has set contracts with commercial
organizations, individuals, and the government. Therefore, large fluctuations throughout
the year do not typically occur. However, one area of significant risk involves the Medicare
risk adjustment. The Centers for Medicare & Medicaid Services (CMS) determines
Medicare and Medicaid premium payments employing a risk-based formula using coding
provided by the insurance companies based on data from the diagnosis. Members with
Medicare and Medicaid benefits associated with the health insurance entity are given
a risk category based on their health conditions. However, because these contracts are
preset for a year, patients’ risk categories might fluctuate, causing an increase in needed
payment from the CMS. Integrated must ensure that revenue is recognized properly by
recording a risk adjustment for the difference between what CMS paid and what should
have been paid based on the appropriate risk categories. CMS also performs audits
known as Risk Adjusted Data Validation (RADV) audits to ensure CMS remits premium
payments to insurance organizations appropriately.
Another area of significant risk around revenue recognition involves the Medicare
Part D risk-sharing provision. With Medicare Part D, insurance entities contract with
CMS for set premiums on an annual basis. The ultimate payment of total premiums,
however, depends on certain thresholds that might require additional payment by CMS or
reimbursement to CMS. A reconciliation (true-up) is performed after year-end to account
for these differences. However, because this true-up process might occur six to nine
months after year-end, Integrated must account for this process by recording receivables or
payables that estimate these differences. Significant estimates are used to develop these
adjustments and require the company to plan the audit procedures to provide reasonable
assurance that these estimates do not include material misstatements.
Controls
The difficulty in predicting revenue adjustment amounts from these two programs concerns
Integrated management’s assertions of completeness, accuracy, valuation of financial
statement accounts, and proper disclosure of required revenue recognition elements. To
meet disclosure assertions, Integrated established a disclosure committee to determine
what revenue-related disclosures should be made regarding Medicare and Medicaid.
This committee meets prior to the release of each quarter’s financial statements or as
often as management requires. Valuation and accuracy assertions are met by requiring
that qualified personnel utilize acceptable models commonly used in industry practice
when estimating the amounts for the varying revenues. Appropriate supervisors review
all estimates for accuracy and verify that estimates conform to the company’s operational
objectives.
AUDIT APPROACH
Due to the high-risk nature of the unique business and audit risks detailed here, an audit
plan for Integrated must include both test of controls and substantive procedures to provide for the appropriate level of detection risk. As mentioned, significant estimates are
included in the financial statements for almost every accounting cycle within the health
insurance industry. The amount of management judgment needed to determine these estimates requires the use of extensive substantive testing to provide reasonable assurance
that material misstatements do not exist within the financial statements. The following
Chapter 4
The Audit Risk Model and Inherent Risk Assessment 173
detailed audit plan provides guidance on the types of control testing and substantive testing
that would provide reasonable assurance that material misstatements do not exist in relation to the risks outlined within this report.
AUDIT STRATEGY MEMORANDUM
Integrated Care Health Insurance Inc.
Overview
This audit strategy is intended to provide our responses to the risks identified for Integrated and generally detail the associated tests of
controls and substantive procedures that will be required during the audit.
Risks
Revenue recognition related to participation in Medicare and Medicaid programs (Revenue and Collection Cycle)
Assertions
Tests of Controls
Substantive Procedures
Valuation or allocation
Test information technology and manual controls relative to
calculation of revenues from Medicare and Medicaid contracts.
Reperform revenue calculations for a
sampling of Medicare- and Medicaidissued contracts.
Confirm that management estimates for risk-sharing and riskadjustment provisions (reviews include determining whether
qualified personnel perform the estimates, making estimates
conform to industry practices, and verifying that estimates are
accurate).
Reperform estimates for risk-sharing
and risk-adjustment provisions.
Confirm that assumptions and methodologies for estimates of
risk-sharing and risk-adjustment provisions are documented and
approved by management.
Produce independent estimates for
risk-sharing and risk-adjustment
provisions.
Obtain an understanding of assumptions and methodology of
estimates for risk-sharing and risk-adjustment provisions.
Presentation and disclosure
Confirm that a disclosure committee has been established.
Review disclosure committee meeting
minutes
Confirm that comparisons of actual and budgeted Medicare
and Medicaid revenues are conducted by management and
significant variances are monitored.
Review board of directors meeting
minutes, agreements, budgets, and
plans for Medicare and Medicaid
revenues that should be included in
financial statements.
Test whether disclosures and
classifications conform to accounting
principles.
Source: Mark Fedewa, Emily O’Bryan, Amela Pajazetovic, and Susan Schmidt, “An Analysis of Business and Audit Risk for a Health Insurance Provider,” unpublished working paper,
University of Kentucky. February 28, 2011.
CHAPTER 5
Risk Assessment:
Internal Control
Evaluation
Adequate internal controls are the first line of defense in detecting
and preventing material errors or fraud in financial reporting . . .
when internal control deficiencies are left unaddressed, financial
reporting quality can suffer.
As stated on January 29, 2019, by SEC Chief Accountant Wesley Bricker when
commenting on the issuance of separate “cease and desist” orders against four public
companies for failure to maintain proper internal controls. SEC (online source).
Professional Standards References
AU-C/ISA
Section
AS
Section
General Principles and Responsibilities of the Independent Auditor
200
1001, 1005,
1010, 1015
Audit Documentation
230
1215
Consideration of Fraud in a Financial Statement Audit
240
2401
Communications with Audit Committees
260
1301
Communications about Control Deficiencies in an Audit of Financial Statements
265
1305
Reporting on Whether a Previously Reported Material Weakness Continues to Exist
265
6115
Audit Planning
300
2101
Identifying and Assessing Risks of Material Misstatement
315
2110
Consideration of Materiality in Planning and Performing an Audit
320
2105
The Auditors’ Responses to the Risks of Material Misstatement
330
2301
Audit Evidence
500
1105
Consideration of the Internal Audit Function
610
2605
Compliance Auditing Considerations in Audits of Recipients of Governmental Financial Assistance
935
6110
Topic
174
Chapter 5 Risk Assessment: Internal Control Evaluation 175
LEARNING OBJECTIVES
An important objective of the internal control system is
to help ensure that the financial statement information
being presented by an organization is credible and can
be relied upon. Therefore, it is essential that an auditor
take the time to understand whether an entity’s internal
control system has been designed and is operating
effectively. In fact, the fundamental principles of
auditing state that, to fulfill auditors’ responsibility “[t]o
obtain reasonable assurance . . . the auditor identifies
and assesses risks of material misstatement, whether
due to fraud or error, based on an understanding of
the entity and its environment, including the entity’s
internal control” [emphasis added].
Beyond its importance in the production
of reliable financial statement information, the
establishment of an internal control system is an
important management function to help ensure
the effectiveness and efficiency of operations and
the entity’s compliance with laws and regulations.
As a result, understanding the elements of internal
control and how to evaluate their effectiveness is an
important skill that every accountant should have.
Even if you do not work as an auditor, you probably
will have responsibility for internal controls at some
point in your accounting career.
This chapter presents a general introduction
to the theory and definitions you will find useful
for internal control evaluation and control risk
assessment. The chapter uses the payroll cycle to
provide specific examples of internal control activities
and related audit procedures.
Your objectives are to be able to
LO 5-1
Define and describe what is meant by
internal control.
LO 5-2
Distinguish between the responsibilities
of management and auditors regarding an
entity’s internal control.
LO 5-3
Define and describe the five basic
components of internal control and specify
some of their characteristics.
LO 5-4
Explain the process the audit team uses to
assess control risk; understand its impact
on the risk of material misstatement;
and, ultimately, know how it affects the
nature, timing, and extent of further audit
procedures to be performed on the audit.
LO 5-5
Explain the communication of internal control
deficiencies to those charged with governance, such as the audit committee and
other key management personnel.
INTRODUCTION
On January 29, 2019, the SEC issued “cease and desist” orders against four issuers: Lifeway
Foods Inc., Digital Turbine Inc., CytoDyn Inc., and Grupo Simec S.A.B de C.V.
According to the SEC’s orders, each company had acknowledged that their internal control systems had material weaknesses. However, after providing each of these companies
with as many as 10 years to address their problems, the SEC finally had enough and
decided to take action.
As stated in their “cease and desist” orders, “disclosure of material weaknesses is not
enough without meaningful remediation. We are committed to holding corporations
accountable for failing to timely remediate material weaknesses.”1 It seems clear that the
substantial penalties levied by the SEC send a message to all issuers that if your internal
control system has a material weakness, the management team had better take remedial
action to fix any problems that exist. Because, if they do not, the SEC will take action.
Why the emphasis on internal controls by the SEC? To start, maintaining a system of
internal controls for the accounting system is required under the law by the Securities and
Exchange Act of 1934 for public entities, also known as issuers. In addition, Section 404
of the Sarbanes-Oxley Act of 2002 requires the management team of issuers to assess
the effectiveness of its own system of internal control and then have an independent CPA
firm assess the effectiveness of its internal control system during its annual audit.
By holding both management and the auditor responsible for evaluating the effectiveness of the internal control system, the Act appears to have imposed the necessary oversight
1
“SEC Charges Four Public Companies With Longstanding ICFR Failures,” Release No. 2019-6, SEC, January 29, 2019.
176 Part Two The Financial Statement Audit
to improve the accuracy and reliability of the financial statements reported by the entity.
Indeed, the Act places an emphasis on the internal control system as an important mechanism
to prevent or detect material misstatements in the financial statements due to fraud. Simply
stated, the intense scrutiny on both the design and operating effectiveness of internal control
systems over financial reporting improves the reliability of the financial statements which
clearly benefits the capital markets, as shown in the following auditing insight.
AUDITING INSIGHT
Was The Tweet Worth $20 Million?
Elon Musk, the billionaire co-founder of Tesla Inc., will pay a $20
million fine to the SEC for a tweet made on August 7, 2018, which
indicated that he had secured financing to take the company private,
causing an increase of over six percent in the company’s stock price.
The SEC’s complaint against Tesla relates to the lack of controls or procedures in place as to whether Musk’s tweets contained
information required in SEC disclosures. The SEC also contends that
Tesla did not have sufficient processes in place to determine whether
the tweets were accurate or complete.
Source: “Elon Musk Settles SEC Fraud Charges; Tesla Charged With and
Resolves Securities Law Charge,” Release No. 2018-226, SEC, September 29,
2018.
In this chapter, we explore the process followed by auditors to gain an understanding
of and then evaluate the internal control system on audits of issuers and nonissuers. There
are a number of additional considerations and steps that need to be taken by auditors
when completing an audit of the internal control system for issuers as required by Section
404 of the Sarbanes-Oxley Act of 2002. These matters are covered in detail in Module I.
DEFINITION OF INTERNAL CONTROL
LO 5-1
Define and describe what is
meant by internal control.
For purposes of the financial statement auditing process, as you will soon learn in this
chapter, if the system of internal control is properly designed and is also operating effectively, it should be producing reliable financial statements. The most important goal of
the system should be to produce reliable financial statements, and as long as the system
is operating effectively, auditors should be able to rely on the internal control system to
reduce substantive testing procedures. Of course, audit professionals need to follow a
required process in order to reach this conclusion, which we cover in this chapter.
Internal Control Effectiveness
The Committee of Sponsoring Organizations (COSO) is responsible for defining what
is meant by internal control effectiveness. COSO is comprised of leaders in the auditing
profession from the Financial Executives Institute, the American Accounting Association,
the Institute of Internal Auditors, the Institute of Management Accountants, and the
American Institute of Certified Public Accountants. It publishes an integrated framework
which is used by management teams and auditors as the benchmark to assess internal
control effectiveness.2 The resulting report, known as the COSO framework, was last
updated in 2013 and defined internal control as follows:
Internal control is a process, effected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following three categories:
∙ Reliability of financial reporting.
∙ Effectiveness and efficiency of operations.
∙ Compliance with applicable laws and regulations.
Stated differently, internal control is a set of policies and procedures designed to achieve
management objectives in three different categories. In the financial reporting category,
2
COSO, “Enterprise Risk Management—Integrated Framework Executive Summary,” September 2004, New York: AICPA, p. 2.: COSO.
“Enterprise Risk Management—Integrating with Strategy and Performance,” June 2017, New York: AICPA.
Chapter 5 Risk Assessment: Internal Control Evaluation 177
the management objectives are related to producing reliable financial reports and safeguarding assets. In the operations category, some examples of management objectives
are maintaining a good business reputation, ensuring a positive return on investment,
increasing market share, promoting new product innovation, and using assets effectively
and efficiently. In the compliance category, the broad management objective is to comply
with laws and regulations that affect the entity. It is important to point out that external
auditors are primarily concerned with a client’s internal control system as it relates to the
financial reporting category.
The updated framework acknowledges the widespread use of the COSO framework
and provides enhancements that were specifically designed to make it easier to be
used as a benchmark for evaluating internal control effectiveness by auditors across
the world. We believe that the framework can be very helpful as students learn about
the underlying concepts and principles of an effective internal control system. As a
result of its importance, throughout this chapter we will highlight how the COSO
framework has impacted the auditor’s role in evaluating a client’s internal control
system during the audit.
Limitations of Internal Control
Internal control provides reasonable assurance, not absolute assurance, that management’s objectives will be achieved. Because people operate the controls, breakdowns
can occur. Internal control can help prevent and detect many errors, but it cannot guarantee that they will never happen. In that spirit, several limitations to internal control
systems prevent management from obtaining complete assurance that controls are absolutely effective:
∙ Human error due to mistakes in judgment, fatigue, and carelessness can still occur.
∙ Although controls are implemented to prevent and detect errors, deliberate circumvention
by people in the system can still occur. Consider the following:
∙ Because most internal controls are directed at lower-level employees, management
override can occur. For example, it is often possible for management to override
controls by force of authority (i.e., if the CEO says to do something, most employees will).
∙ Although separation of duties can be extremely effective in an internal control system, collusion among people who are supposed to act independently can lead to a
failure in the achievement of relevant internal control objectives.
In addition, one other limitation deserves special consideration. That is, an internal
control system is always subject to cost–benefit considerations. Internal control could
be made perfect, or nearly so, but at great expense. For example, at the lowest level
of control, a company’s inventory could be left completely unlocked and unguarded
(i.e., with no controls at all); next, a fence could be used; locks could be installed;
lighting could be used all night; television monitors could be put in place; or at the
highest level of control, armed guards could be hired. Each of these successive safeguards costs additional money (as does extensive supervision of clerical personnel in
an office). At some point, the cost of protecting the inventory from theft (or the cost
of supervisors catching every clerical error) exceeds the benefit of the internal control
activity. In the professional auditing standards, the concept of reasonable assurance
recognizes that the costs of controls should not exceed the benefits that are expected
from the controls. Hence, an entity can decide that certain controls are too costly considering the risk of loss that can occur.
Finally, it is important for students to remember that internal control is a process, a
means for management to achieve its objectives, not an end in itself. It is also dynamic,
operating every day within an entity’s operating structure, which can and does evolve as
the entity and its operating environment change over time.
178 Part Two The Financial Statement Audit
REVIEW CHECKPOINTS
5.1 What is the Committee of Sponsoring Organizations (COSO)? Briefly describe the purpose of the
COSO framework of internal control effectiveness.
5.2 What are the three management objectives of an internal control system according to the COSO
report? Which of the three is most important to auditors?
5.3 What is the concept of reasonable assurance as it relates to an internal control system? What are
the key limitations of an internal control system?
MANAGEMENT VERSUS AUDITORS’ RESPONSIBILITY FOR
INTERNAL CONTROL
LO 5-2
Distinguish between
the responsibilities of
management and auditors
regarding an entity’s internal
control.
Management’s Internal Control Responsibilities
The management team is responsible for establishing and maintaining an internal control
system. To accomplish this objective, management is responsible for assessing the full
range of risks it would like to control, including financial reporting risks. Such a risk
assessment process generally leads to the establishment of important objectives for the
internal control system. For example, management must make sure that transactions are
properly authorized, and that the accounting records and other system-generated reports
are complete and accurate. In addition, management must ensure the security of their
assets, including their data. It is also important that an appropriate control environment
is established which allows for the implementation of appropriate internal control activities, appropriate information and communication channels, and proper monitoring of the
operation of all internal control activities.
Management is also responsible for maintaining documentation that is sufficient to
provide evidence that the system of internal control has been designed and is operating
effectively. For example, such documentation needs to provide evidence regarding how
important internal control decisions were considered and ultimately how the final decisions were reached for key professional judgments. Finally, the documentation must be
robust enough to allow auditors to gain an understanding of the internal control system
and to determine whether the client’s internal control system can be relied upon when
conducting their overall financial statement audit.
Auditors’ Internal Control Responsibilities
Auditors are required to gain an understanding of the client’s internal control system
on each audit. They are also required to document that understanding in the audit
documentation. When gaining an understanding of the client’s internal control system, auditors will typically preliminarily assess the risk of material misstatement
(RMM) for each relevant assertion. The assessment of RMM at the assertion level
is completed for all financial statement audits in order to give the audit team a basis
for planning the audit and determining the nature, timing, and extent of further audit
procedures to be conducted for the financial statement audit. RMM is composed of
inherent risk and control risk. The assessment of inherent risk, the susceptibility of
an account to misstatement, was the focus of Chapter 4; this chapter focuses on control risk assessment.
Recall that control risk is the probability that an entity’s controls will fail to prevent or
detect material misstatements due to errors or frauds that would otherwise have entered
Chapter 5 Risk Assessment: Internal Control Evaluation 179
the system. The audit team assesses control risk to complete the preliminary determination of RMM for each relevant assertion identified in the audit plan; the higher the assessment of control risk, the higher the assessment of RMM. Most audit teams express their
control risk assessment decision with descriptive terminology (e.g., high, moderate, low),
which recognizes the imprecise nature of evaluating risk.
An audit team’s assessment of control risk as high implies that the controls are not
effective at preventing or detecting material misstatements and could not be relied upon
by the audit team. In this situation, the audit team would likely use substantive tests of
details designed to obtain evidence (nature) at or near the entity’s fiscal year-end (timing)
with large sample sizes (extent).
On the other hand, an audit team’s assessment of control risk as low implies that the controls
are effective at preventing or detecting material misstatements and could possibly be relied upon by
the audit team. In this situation, the audit team might be able to use less time-consuming
substantive analytical procedures to obtain evidence (nature) at an interim date before the
entity’s fiscal year-end (timing) with much smaller sample sizes (extent).
Of course, an audit team might assess control risk as moderate (between low and high)
and adjust the substantive procedures accordingly in order to obtain enough evidence to
mitigate the risk of material misstatement to a low level for the relevant assertion being
tested. Ultimately, the final decision about nature, timing, and extent of testing is a matter
of professional judgment for the audit team. Exhibit 5.1 illustrates the trade-off between
testing and relying on internal controls and how it impacts the nature, timing, and extent
of further audit procedures to be performed.
In addition, for each fraud risk that is identified during the planning stage (see Chapter 4),
the audit team should evaluate whether the client has implemented control activities that
are specifically designed to address the risk of fraud that has been identified. These might
include control activities that are designed to address fraud risks for specific financial
statement accounts or, more generally, control activities that are designed to promote a
culture of honest and ethical behavior. For example, the audit team evaluates the controls
related to the use of period-end journal entries on each audit engagement due to their
frequent use in the past to commit frauds at companies such as WorldCom, Waste Management, and Dell Inc.
EXHIBIT 5.1
Relationship between
Internal Control
Reliance and Audit
Procedures
Less Reliance on Internal Control (higher
control risk; higher RMM; lower detection risk)
More Reliance on Internal Control (lower
control risk; lower RMM; higher detection risk)
Nature
More effective tests (for example, use of
substantive tests of detail)
Less effective tests (for example, use of
substantive analytical procedures)
Timing
Testing performed at year-end
Testing can be performed at interim
Extent
Higher sample size
Lower sample size
REVIEW CHECKPOINTS
5.4 What are management’s and auditors’ respective responsibilities regarding internal control?
5.5 Define control risk and explain the role of control risk assessment in audit planning.
5.6 What is the primary reason for conducting an evaluation of an audit client’s internal control on a
financial statement audit?
5.7 How does control risk affect the nature, timing, and extent of further audit procedures?
180 Part Two The Financial Statement Audit
COMPONENTS OF INTERNAL CONTROL
LO 5-3
Define and describe the five
basic components of internal
control and specify some of
their characteristics.
According to the COSO framework, an internal control system that is designed and operating
effectively will have met three overarching goals within an organization (Exhibit 5.2).
First, the system will allow for effective and efficient operations. Second, it will allow for
reliable financial reporting. And third, the system will allow the organization to comply
with laws and regulations.
To achieve the specific objectives for each of these three goals, the COSO framework
defines five interrelated components of a properly designed internal control system: (1)
control environment, (2) risk assessment, (3) control activities, (4) monitoring, and (5)
information and communication. It is important to point out that the five components
should not operate independently of each other. Instead, they should be considered as
working in an integrated manner to support the internal control system’s overall effectiveness. Each of these components is now discussed in detail.
Control Environment
The control environment sets the tone of the organization. It is the foundation for all
other components of internal control. It provides discipline and structure to all participants and stakeholders. Control environment factors include the integrity, ethical
values, and competence of the entity’s people. According to the COSO framework, a
well-functioning internal control environment is characterized by philosophies such as
the following:
∙ Integrity and ethical values. Sound integrity and ethical values, particularly of top
management, are developed and understood and set the standard of conduct for financial reporting.
∙ Board of directors. The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control.
∙ Management’s philosophy and operating style. Management’s philosophy and operating
style support achieving effective internal control over financial reporting.
EXHIBIT 5.2
Internal Control—
Integrated Framework
(COSO)
Internal control is
a management process
designed to achieve
Definition
Goals
Effectiveness and
efficiency
of operations
Reliable financial
reporting
Compliance with
laws and
regulations
Specific
Objectives
Various companyspecific objectives
Reliable financial
reports (e.g., in
accordance with
GAAP
Compliance
with applicable
laws and
regulations
Components
Control environment
Risk assessment
Control activities
Monitoring
Information and
communication
Chapter 5 Risk Assessment: Internal Control Evaluation 181
∙ Organizational structure. The company’s organizational structure supports effective
internal control over financial reporting by establishing clear and unambiguous reporting lines.
∙ Financial reporting competencies. The company retains individuals who are competent in financial reporting and related oversight roles.
∙ Authority and responsibility. Management and employees are assigned appropriate
levels of authority and responsibility to facilitate effective internal control over financial reporting.
∙ Human resources. Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting.
Most importantly, the effectiveness of the control environment is influenced heavily
by a company’s management team and is strongly and unquestionably related to the “tone
at the top” set by management. The key is for management to be deliberate in trying to
impact the attitudes toward internal controls throughout the organization by setting the
proper example for the organization to follow. It has been said that the control environment
has a “pervasive” effect on the reliability of financial reporting because it affects all other
components of an organization’s internal control system.
AUDITING INSIGHT
Tone at the Top – How Hertz Got It Wrong
In February 2019, Hertz Global Holdings Inc. agreed to pay the SEC
$16 million to settle accounting fraud charges. Feeling the pressure to
meet internal budgets, business plans and earnings estimates, executives at Hertz overstated pre-tax income by $235 million from 2012 to
2014. The managers used improper accounting methodologies that
were inconsistent with GAAP in order to meet expectations.
However, Hertz isn’t taking this lying down. The company
has sued its former CEO, CFO, general counsel, and others in
an effort to clawback $70 million in incentive compensation that
was tied to the fraudulent financials. According to Hertz’s board,
the former CEO “created a pressure-cooker work environment in
which he leaned on subordinates to make “inappropriate accounting decisions’’ so the firm could hit its financial targets” sometimes
“berating subordinates who did not come up with ‘non-traditional’
accounting approaches to fill the gaps between Hertz’s actual and
expected performance.”
Sources: “SEC Charges Hertz with Inaccurate Financial Reporting and Other
Failures,” Administrative Proceeding File No. 3-18965, SEC, February 1, 2019;
“Hertz seeks $70 Million in Clawbacks Tied to Accounting Scandal,” Bloomberg, April 1 2019, (online source).
Because the control environment sets the overall foundation for internal control, professional auditing standards require an auditor to obtain an understanding of the control
environment on all engagements. As part of this understanding, auditors also have to take
the time to consider the functioning of the client’s board of directors and, in particular, the
impact of its audit committee on the client’s control environment. The audit committee is a
subcommittee of the board of directors that is generally composed of three to six independent members (those not involved in the entity’s day-to-day management) of the organization’s board of directors. Each member must be financially literate, and one member must
be a financial expert. The purpose of including independent members is to provide a buffer
between the audit team and the operating management team of the company. The buffer
allows the audit team (and the corporate internal audit department) to report any controversial findings to members of the board of directors without fear of reprisal.
For example, should the internal auditors find wrongdoing in the CEO’s office, it
would do no good to report the matter to the CEO. Similarly, if management does not
have control over appointing auditors, management is prevented from threatening to dismiss the auditors if they do not agree with an inappropriate accounting practice. Some of
the more important duties of the audit committee are:
∙ Appointment, compensation, and oversight of the public accounting firm conducting
the entity’s audit.
182 Part Two The Financial Statement Audit
∙ Resolution of disagreements between management and the audit team.
∙ Oversight of the entity’s internal audit function.
∙ Approval of nonaudit services provided by the public accounting firm performing the
audit engagement.
∙ Oversight of the anonymous fraud hotline that is designed to provide employees a confidential and effective manner in which to report possible financial reporting issues.
∙ Authority to engage legal counsel in the event of management fraud.
Small and midsize entities may implement the control environment factors differently
than larger entities. For example, smaller entities might not have a written code of conduct but instead develop a culture that emphasizes the importance of integrity and ethical
behavior through oral communication and by management example. Similarly, a smaller
entity may not have an independent or outside member on its board of directors. Regardless of the size of the entity, the COSO framework establishes principles which, if applied
properly, should result in an effective control environment component.
Risk Assessment
In recent years, entities of all sizes have increasingly recognized the need for a formalized
process to identify, properly assess, and ultimately manage the full range of business risks
that they face: factors, events, and conditions that can prevent organizations from achieving their business objectives. One way managers address these concerns is to employ an
enterprise risk management (ERM) framework such as the one developed by COSO to facilitate
the assessment and mitigation of business risks that the entity faces. COSO defines ERM
as “a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives.”3 In other
words, management, boards, and employees have to be constantly thinking about what
could go wrong with the business and how they can prevent it.
Although not all entities will employ a robust ERM framework, at a minimum, an
effective internal control system will include some type of process where management
takes the steps necessary to identify risks, estimate their significance and likelihood, and
consider how to manage the risks. By setting management objectives, management can
identify critical success factors and institute policies and procedures to ensure that they
are met. (Note: The risk assessment element of the COSO framework is management’s
responsibility and is not related to an auditor’s assessment of inherent risk, control risk,
and the overall risk of material misstatement at the assertion level.) Although an audit
client’s risk assessment process should relate to all its objectives, the professional standards require the auditor to specifically gain an understanding of the process as it relates
to financial reporting risks, including fraud risk. When gaining such an understanding,
the auditor should determine whether management is actually assessing the likelihood of
fraud risks and how it is managing such risks.
In completing their work, the audit team members seek to understand whether management is specifying financial reporting objectives with sufficient clarity and criteria to
enable the identification of risks of material misstatement in financial reporting, in particular due to fraud. Once identified, the audit team also would like to see that management has a basis for determining how to manage the identified risks. For smaller entities,
the risk assessment process is likely to be less formal and less structured. Although all
entities should have established financial reporting management objectives, they may be
recognized implicitly rather than explicitly in smaller entities. Regardless of the size of
the entity, the COSO framework establishes principles that, if applied properly, should
result in an effective risk assessment component when evaluating the system of internal
control.
3
COSO, “Enterprise Risk Management —Integrated Framework Executive Summary,” September 2004, New York: AICPA.
Chapter 5 Risk Assessment: Internal Control Evaluation 183
REVIEW CHECKPOINTS
5.8
What are the five components of management’s internal control?
5.9
What is the control environment?
5.10 What is an audit committee? What are its duties?
5.11 What is the purpose of risk assessment for an entity?
Control Activities
In a well-functioning internal control system, once the risks to management’s objectives have
been identified, internal control activities are established to eliminate, mitigate, or compensate
for the risks. Control activities are specific actions that a client’s management and employees
take to help ensure that management’s directives are carried out. The professional standards
require the audit team members to document their understanding of the internal control system
on each audit, which includes their understanding of whether management has implemented
control activities that are sufficient to address the risks of material misstatement for each relevant assertion related to each significant account or disclosure.
To answer this important question, the audit team members usually begin the process
by considering what they learned about the internal control system as they were gaining
an understanding of the other components of the COSO framework—in particular, the
control environment and risk assessment components described earlier. The next step
in the process requires the audit team members to document their understanding of the
extent to which each of the client’s control activities has been designed to sufficiently
address a relevant financial statement assertion. To do so, an auditor first considers “what
could go wrong” for each of the identified relevant assertions. That is, an auditor must
consider how a material misstatement could occur for each relevant assertion. Once each
“what could go wrong” is identified, an auditor must then determine if management has
implemented a control activity that is designed to mitigate the risk of material misstatement identified for that assertion. This step will be covered in more depth later in the
chapter. However, for now, see Exhibit 5.3 for several examples of this process that might
occur for several relevant assertions related to the revenue account.
Importantly, when documenting their understanding of the internal control system, the
audit team should keep in mind the following questions related to control activities:
∙ Information technology. Has the audit client taken full advantage of their existing technological platform (e.g., SAP) by using entirely automated control activities whenever
it is efficient and effective?
∙ Level of integration with their risk assessment process. Has the audit client’s management team taken the actions necessary to sufficiently address the identified risks of
material misstatement for each relevant assertion?
EXHIBIT 5.3
Relevant Assertions,
What Could Go
Wrong and Control
Activities for the
Revenue Account
Relevant Assertion
What Could Go Wrong?
Control Activity
Occurrence
Sales revenue is recorded when
the goods have not been shipped
to the customers.
All sales invoices are matched to
shipping documents before recording
them in the general ledger.
Valuation
Goods will be shipped to a new
customer who is unable to pay for
the goods.
The credit department performs a
detailed credit check for all new
customers.
Completeness
Goods will be shipped to a
customer, and the revenue is not
recorded.
All shipping documents are matched
to sales invoices that have been
recorded in the general ledger.
Source: The Committee of Sponsoring Organizations of the Treadway Commission. COSO Internal Control—Integrated Framework
Principles. Accessed June 25, 2019 (online source).
184 Part Two The Financial Statement Audit
∙ Selection and development of control activities. Has the audit client’s management team
designed and implemented control activities with full consideration of their cost and their
potential effectiveness in mitigating the risks of material misstatement identified?
∙ Policies and procedures. Have the policies related to reliable financial reporting been
documented and communicated throughout the company by the audit client’s management team?
In addition, regardless of the size of the entity, the COSO framework establishes principles that, if applied properly, should result in an effective evaluation of the control
activities component.
Not surprisingly, there are a number of different types of controls in today’s financial statement audit environment. Ultimately, financial reporting control activities are
imposed on the accounting system for the purpose of preventing, detecting, and correcting
errors and frauds that could enter and flow through to the financial statements. Clearly,
preventive controls, procedures that prevent misstatements before they occur (those that
ensure hiring competent people, limiting access, requiring approval, separating duties,
etc.), are preferable to detective controls, procedures that detect misstatements after they
occur. In some sense, all control activities can be thought of as preventive controls because
the possibility of being caught by a detective control might prevent someone from committing an error or a fraud. Control activities also include management review controls,
information processing controls, physical security controls, and controls that allow for
proper separation of duties. Each of these additional categories is now discussed in turn.
Management Review Controls
An audit client’s management team has primary responsibility for ensuring that the
organization’s objectives are being met. As a result, management review controls are an
important way for a management team to actively participate in the supervision of operations. For example, management’s study of budget variances with follow-up action is an
example of a management review control. In general, a management team that performs
more frequent reviews has more opportunities to detect errors in the records than management that does not perform frequent reviews. The frequency, of course, is governed by
the costs and benefits. In addition, subsequent action to investigate or correct differences
is critically important to demonstrate that the control is truly operating in an effective
manner. Without a doubt, periodic management reviews and subsequent follow-up action
to correct identified errors tends to lower the risk that material misstatements exist in the
financial statement accounts.
Information Processing Control Activities
Information processing control activities are essential to the effectiveness of an internal
control system. Generally speaking, all organizations employ computerized information
processing on a routine basis. When entities use computerized information processing,
the professional standards make clear that information technology (IT) poses specific
risks to an entity’s internal control system. And, although the focus of this chapter is on
providing a broad understanding of internal control, you should be aware that the use
of computerized information processing requires entities to implement specific control
activities to enable it to support the relevant financial statement assertions.
For staff auditors in today’s financial statement audit environment, the most important
information processing control activities are the ones that are designed to ensure the completeness and accuracy of system-generated reports. Recall from Chapter 1 that a systemgenerated report is a report generated by the audit client’s information system that is used
to execute its internal control procedures or produce its financial statements. If such a
report is used by the audit client’s management for either of these purposes, the client
must have control activities in place to ensure that each report is complete and accurate.
See Exhibit 5.4 for several examples of system-generated reports and the related control
activity where the report is needed for its proper execution.
Chapter 5 Risk Assessment: Internal Control Evaluation 185
EXHIBIT 5.4
System-Generated
Reports and Internal
Control Activities
System-Generated Reports
Internal Control Activities
Accounts Receivable Aging
Report
The accounts receivable aging report is generated on a monthly basis
by the information system. The report is reviewed by the chief financial
officer to evaluate the adequacy of the allowance for doubtful accounts.
Three-Way Match Exception
Report
In an accounts payable process, the three-way match refers to the
process where a vendor invoice is compared to an approved purchase
order and a receiving report to make sure that a payable is valid before
payment is made. The three-way match exception report is generated on
a weekly basis by the information system to determine if any exceptions
exist. The report is reviewed by the accounts payable clerk and all
exceptions are followed up on and resolved by the clerk.
New-Hires Report
The new-hires report is generated on a quarterly basis by the information
system. The report is reviewed by the payroll clerk to ensure that all new
employees are reflected in payroll expense.
Source: The Committee of Sponsoring Organizations of the Treadway Commission. COSO Internal Control - Integrated Framework
Principles. Accessed June 25, 2019 (online source).
The full range of auditing considerations that are relevant to an audit client’s computerized information processing environment are discussed in detail in Module H. However, before moving on, it is important to realize that even “spreadsheet goofs” can pose
risks to an entity’s internal control system. As an example, consider that Fannie Mae
had to restate its unrealized gains account by $1.2 billion for errors in “mark-to-market”
calculations that were the result of “honest mistakes” that were made in a spreadsheet
that was used to implement a new accounting standard.4 In addition, although almost all
organizations employ computerized information processing, manual controls over certain information processing activities remain important in many systems. For example,
important manual control activities over the purchasing and cash disbursement cycle
include using purchase orders to ensure proper authorization (the occurrence assertion),
matching vendor invoices with receiving reports and purchase orders to ensure that the
quantity billed agrees with the quantity ordered and received at previously agreed-upon
prices (the accuracy assertion), and using and accounting for prenumbered documents
(checks, purchase orders, and receiving reports) to ensure that all transactions have been
recorded (the completeness assertion). The specific control activities for each cycle are
discussed in more detail in Chapters 6 through 10.
Physical Security Controls
Physical access to assets, data and important records, documents, and blank forms should
be limited to authorized personnel only. Assets such as inventory and securities should
not be available to persons who have no need to handle them. Likewise, access to records
should be denied to people who do not have a record-keeping responsibility for them.
Some blank forms are very important for accounting and certain control activities, and
their availability should also be restricted.
In addition, given the importance of the computerized information processing
system, physical security of computer equipment and restricting access to the organization’s
data and computer application files are important to achieving effective internal control.
Access controls help prevent the improper use or manipulation of data files, unauthorized use of computer programs, and improper use of the computer equipment. Overall, in
today’s environment, it is essential that organizations have a robust set of cyber security
control activities in place and operating effectively. As illustrated in the following Auditing
Insight, sometimes a weakness in cyber security control activities can lead to the loss of
assets.
4
“Fannie Mae Corrects Mistakes in Results,” New York Times, October 30, 2003, P. C1.
186 Part Two The Financial Statement Audit
AUDITING INSIGHT
Did They Really Lose $100 million?
In late 2018, the SEC reported that nine public companies, from a
variety of industries including technology, real estate, financial and
consumer goods, energy, and more, lost nearly $100 million to cyber
criminals. The companies were defrauded by two different schemes,
emails from fake executives and emails from fake vendors.
According to the report, the spoofed emails from fake executives “were not sophisticated frauds in general design or the use
of technology. In fact, from a technological perspective they only
required creating an email address to mimic the executive’s address.”
The emails actually included spelling mistakes! However, the fake
vendor emails were more sophisticated and were generally not
discovered as fraud until the real vendor contacted the company for
payment for its past due invoices. In each case, company personnel
wired money to the fraudulent accounts costing each of the nine companies anywhere from $1 million to $45 million dollars that will not be
recovered.
Sources: SEC (online sources).
Also, locked doors, security passes, passwords, and check-in logs can be used to limit
access to the computer system hardware. One way to detect inappropriate computer usage
is by specifying a planned schedule for running large-scale computerized applications.
A schedule can help detect unauthorized access because most software can produce usage
reports that can be compared to the planned schedule. Applications that are being run at
unauthorized times can then be investigated for inappropriate use of computer resources.
Separation of Duties
A very important characteristic of an effective internal control system is that an appropriate
separation of duties (or functional responsibilities) plan is in place . Four types of functional
responsibilities should be performed by different departments (see Exhibit 5.5), or at
least by different persons on the entity’s accounting staff:
1. Authorization to execute transactions. This duty belongs to people who have the
authority and the responsibility for initiating or approving transactions. Authorization
may be general, referring to a class of transactions (e.g., all purchases up to $100,000),
or it may be specific (e.g., sale of a major asset).
2. Recording transactions. This duty refers to the accounting and record-keeping function,
which is typically accomplished through the deliberate assignment of access rights to
employees in a computerized information system. People who control computerized
processing are the record keepers.
3. Custody of assets involved in the transactions. This duty refers to the actual physical
possession or effective physical control of property.
4. Periodic reconciliation of existing assets to recorded amounts. This duty refers to
making comparisons at regular intervals and taking appropriate action with respect to
any differences.
Incompatible responsibilities are combinations of responsibilities that place a person
alone in a position to create and conceal misstatements due to errors or frauds in her or
his normal job. Duties should be divided so that no one person can control more than one
of these responsibilities. If different departments or persons are forced to deal with these
different facets of transactions, frauds are more difficult to commit because they would
then require collusion of two or more persons, and most people hesitate to seek the help
EXHIBIT 5.5
Authorization
Separation of Duties
Reconciliation
Custody
Recording
Chapter 5 Risk Assessment: Internal Control Evaluation 187
of others in order to conduct wrongful acts. A second benefit of separating duties is that
by acting in a coordinated manner (handling different aspects of the same transaction),
innocent errors are more likely to be found and corrected. The old saying “Two heads are
better than one” is often proven to be true.
In most computerized information processing environments, employees who have access
to an application (such as payroll) might be in a position to perform incompatible functions. As a result, to achieve proper separation of duties, it is essential for an organization
to have a well-thought-out plan that limits employees’ access to the computerized information processing system (e.g., SAP, Oracle) to only those applications that are necessary for
such employees to complete their jobs. In effect, companies must design internal control
activities that will effectively limit opportunities for any one individual to both perpetrate
and conceal vmisstatements or losses due to errors or fraud. In most situations, these often
include password access controls that are designed to align the computer access rights to
transactions, data, key documents, and assets with only those employees who require such
access to complete their clearly defined role within the internal control system. In a sense,
proper separation of duties is accomplished through appropriate system access controls.
Control Activities: Other Considerations
When gaining an understanding of an internal control system, it is important for the auditor to consider the level of automation used to execute each control activity. In general,
control activities are categorized by auditors as purely manual controls, manual controls
that rely on a system-generated report, and entirely automated controls.
Manual controls are control activities that operate in a manner that is fully dependent on
a person. An example of this control would be a three-way match control in the purchases
cycle where the accounts payable clerk was responsible for physically matching the details
of a purchase order, receiving report, and a vendor invoice before authorizing the amount for
payment. Since the control is operated manually without the use of the computer information
system, there is no reliance on the computer information system for it to operate effectively.
Like purely manual controls, manual controls that rely on a system-generated report
also depend on a person. However, the difference is that the person operating the control
must rely on a report that is generated by the computer information system. An example
would be a control, executed by the controller, that was designed to evaluate the accounts
receivable aging report to determine the reasonableness of the allowance for doubtful
accounts. Importantly, the proper execution of the control is dependent on the completeness and accuracy of the accounts receivable aging report.
Entirely automated control activities operate completely within the computer information system. An example of this would be an automated credit approval control that
is used by a bank to ensure that it does not extend credit beyond each customer’s credit
limit. The proper execution of the control is entirely automated. Thus, when a customer
attempts to use the credit card, the amount of the sale is added to that customer’s existing
balance and the amount is compared to the credit limit for that customer. If you have ever
been denied when attempting to pay for dinner or purchase clothes, you certainly know
about this automated control.
REVIEW CHECKPOINTS
5.12 What is a control activity?
5.13 What is the difference between preventive controls and detective controls? Give an example of each.
5.14 What is a management review control? Please provide an example.
5.15 What is a system generated report? Please provide an example.
5.16 What is a physical security control? Why is it important in an internal control system?
5.17 What kinds of functional responsibilities should be performed by different departments or persons
in a control system with good separation of duties?
188 Part Two The Financial Statement Audit
Information and Communication
When evaluating the information and communication component of internal control, the
“auditor should obtain an understanding of the information system including the related
business processes, relevant to financial reporting. As part of that process, the auditor
must seek to understand the nature of the underlying accounting records, supporting
information and the accounts that are used to fully execute a transaction.” The auditor
should also understand “how the information system captures events and conditions,
other than transactions, that are significant to the financial statements.”5 Clearly, the size
of the entity will have an impact on this component. However, regardless of the entity’s
size. the COSO framework establishes principles that, if applied properly, should result in
an effective evaluation of the information and communication component.
The professional standards recognize that to make effective decisions, managers must
have access to timely, reliable, and relevant information. As a result, an entity’s information system should be designed to identify data from reliable external sources such as
suppliers, customers, economic databases, and so on, as well as internal sources. Having
superior information systems can be a part of an entity’s strategy and competitive advantage (e.g., Amazon.com). Management evaluates the quality of information by determining whether the content is appropriate and the information is timely, accurate, and
accessible. Note that these are sometimes contradictory. For example, waiting to ensure
that information is accurate can cause it not to be timely.
Communication includes report production and distribution. The account balances are
summarized in internal management reports and external financial statements. The internal reports are management’s feedback for monitoring operations. The external reports
are the financial information for outside investors, creditors, and others. Communication
also involves expectations, responsibilities of individuals and groups, and other important matters. Specific duties must be made clear, and people need to know how their
activities relate to the work of others. People also need to know what behavior is expected.
In addition, personnel need a means of communicating significant information upstream
in an organization. Outsiders also should know that fraudulent and unethical behavior by
entity personnel is unacceptable and should be reported to management.
The information system produces a trail of activities (often referred to as an audit
trail) from data identification to reports. You can visualize that the audit trail begins with
the source documents (purchase orders, sales orders, etc.) and proceeds through to the
financial reports. Auditors often follow this trail frontward and backward, identifying and
testing relevant control activities along the way (Exhibit 5.6). They follow it backward
from the financial reports to the source documents to determine whether everything in
the financial reports is supported by appropriate source documents (the occurrence assertion). They follow it forward from source documents to reports to determine whether
everything that happened (i.e., transactions) was recorded in the accounts and reported in
the financial statements (the completeness assertion).
EXHIBIT 5.6
Occurrence and
Completeness of a
Sales Transaction
Source: The Committee of
Sponsoring Organizations of
the Treadway Commission.
COSO Internal Control Integrated Framework
Principles. Accessed June 25,
2019 (online source).
Occurrence Direction
Sales Order
Sales
Authorization
Shipping
Documents
Sales Invoice
Completeness Direction
5
PCAOB Auditing Standard 2110, “Identifying and Assessing Risks of Material Misstatement.”
Financial
Statements
Chapter 5 Risk Assessment: Internal Control Evaluation 189
Information systems in small or midsize organizations are likely to be less formal
than in larger organizations, but their role is just as significant. Smaller entities with
active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be
less formal and easier to achieve in a small or midsize company than in a larger enterprise
because the smaller organization has fewer levels, and management has more visibility
and availability.
One final and very important consideration made by the audit team when gaining an
understanding of this component relates to the use of information produced by the company during the audit (like system-generated reports discussed previously). The professional standards are clear that an auditor cannot ever rely on information produced by the company’s
information system without investigation. Instead, the audit team is required to perform
audit procedures that are designed either to test the controls that have been designed to
ensure that the information is complete and accurate, or to test the completeness and
accuracy of the information using substantive testing procedures. This is most definitely
an area of PCAOB Inspection Focus, which we now illustrate.
PCAOB INSPECTION FOCUS
In a recent public report about its inspections program, the PCAOB
specifically discussed a recurring finding related to information that is
produced by the entity being audited. Specifically, the PCAOB noted
that its “inspections staff has continued to observe instances in which
auditors selected controls for testing but did not sufficiently test the
controls over completeness and accuracy of system-generated data
or reports used in the operation of those controls.” For example,
“management used reports that were generated by the issuer’s information system to perform its review control; however, the engagement team did not test controls over the accuracy and completeness
of these reports. In addition, the engagement team did not test the
reports to verify the completeness and accuracy of the individual
PCAOB Identifies Deficiencies Related
to System-Generated Data
variance calculations to determine whether the investigation of other
variances was necessary.” Because an entity’s use of IT affects the
fundamental manner in which information is produced, it is essential
that an auditor is comfortable with the completeness and accuracy of
all information used by management to execute control activities that
are deemed important to the auditor.
Sources: PCAOB Staff Inspection Brief - Preview of Observations from 2016
Inspections of Auditors of Issuers. Volume 2017/4. November 2017; PCAOB
Observations from 2010 Inspections of Domestic Annually Inspected Firms
Regarding Deficiencies in Audits of Internal Control over Financial Reporting.
PCAOB Release No. 2012-006. December 10, 2012 (both from online
sources).
Monitoring
The COSO framework recognizes that in order to allow for continuous improvements and
consider changes in the entity’s operating environment, management needs to monitor its
internal control systems. According to COSO, a well-functioning monitoring system is
characterized by philosophies such as the following:
∙ Ongoing and separate evaluations. Ongoing evaluations of controls that are separate
from other types of evaluations (e.g., operational) enable management to determine
whether the other components of internal control continue to function over time.
∙ Reporting deficiencies. Internal control deficiencies are identified and communicated
in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.
It is important to note that monitoring does not include regular management and
supervisory control activities and other actions that employees take in performing their
everyday duties. Effective monitoring involves ongoing evaluation of the controls. Some
common monitoring controls include:
∙ Periodic evaluation of controls by the internal audit department.
∙ Analysis of and appropriate follow-up of operating reports or metrics that might identify
anomalies indicative of a control failure.
190 Part Two The Financial Statement Audit
∙ Supervisory review of controls, such as reconciliation reviews as a normal part of
processing.
∙ Self-assessments by boards and management regarding the tone they set in the organization and the effectiveness of their oversight functions.
∙ Audit committee inquiries of internal and external auditors.
∙ Quality assurance reviews of the internal audit department.
As you can see, some of the control activities explained earlier in this chapter also
serve as monitoring activities. For example, analyzing customer complaints for follow-up
is a control activity, but analyzing them to determine whether the complaints result from
a weakness in other controls (e.g., a failure to compare shipping documents to customer
orders) is a monitoring activity.
Although the preceding procedures provide management with daily monitoring opportunities, the oversight provided to the entity by the board of directors (and, more specifically,
the audit committee) provides the highest level of monitoring. In addition, management’s
close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data. Finally, ongoing monitoring activities of small
and midsize entities are more likely to be informal and are typically performed as a part
of the overall management of the entity’s operations. However, regardless of the entity’s
size, the COSO framework establishes principles that, if applied properly, should result in
an effective evaluation of the monitoring component.
REVIEW CHECKPOINTS
5.18 What is meant by the information and communications component of an effective internal control
system? How can an auditor evaluate whether a client’s internal control system is functioning
properly for this component?
5.19 Give some examples of everyday activities that an entity’s management can use to enact the
monitoring component of internal control. When are such activities control activities, and when
are they monitoring activities?
INTERNAL CONTROL EVALUATION
LO 5-4
Explain the process the
audit team uses to assess
control risk; understand
its impact on the risk of
material misstatement;
and, ultimately, know how
it affects the nature, timing,
and extent of further audit
procedures to be performed
on the audit.
To this point, we have defined internal control and noted its limitations, identified both
management’s and the audit team’s responsibility for the internal control system, and
then described the five components of internal control defined by COSO in detail. The
five components of the COSO framework are considered to be essential criteria for evaluating an entity’s internal control over financial reporting for purposes of assessing the
risk of material misstatement (RMM) at both the financial statement and the relevant
assertion level. An essential component of assessing RMM at the relevant assertion level
is the assessment of control risk (along with the assessment of inherent risk which was
covered in Chapter 4) for each relevant assertion about each significant financial statement account or disclosure.
In this chapter, we explain how to assess control risk for each of the relevant assertions
identified in the planning stage of the audit. In assessing control risk, audit teams typically use a three-phase procedure: (1) understand and document the client’s internal control system at the relevant financial statement level; (2) assess the control risk for each
relevant assertion identified; and (3) identify controls to test and perform tests of control.
The three-phase procedure is also illustrated by the figure below:
Chapter 5 Risk Assessment: Internal Control Evaluation 191
Understand
and
Document
the Client’s
Internal
Control
Identify
Controls
to Test
and
Perform
Tests of
Control
Assessment
of Control
Risk
It is important to emphasize that these three phases must be completed for each relevant
financial statement assertion identified during the planning stage whenever the auditor plans
to rely on a control activity to modify the nature, timing, and extent of substantive audit procedures. We now describe each phase in detail, which is illustrated in Exhibit 5.7.
Control environment
Risk assessment
Control activities
Information and Communication
Monitoring
Obtain an understanding
of internal control
Narrative memo
Flowchart
Questionnaire
Document the understanding
For each relevant assertion, assess control
risk and design a preliminary program of
substantive procedures
Phase 2: Assess Control Risk
Assess control risk
(preliminary assessment)
Can
control risk
be low or less than
maximum?
No
Yes
Is reduction
of the control risk
assessment
cost effective?
No
Yes
Specify the control activity to be tested
Phase 3: Tests of Controls
Phases of Internal
Control Evaluation
Phase 1: Understand
and Document
EXHIBIT 5.7
Perform tests of controls
of the specified controls
Document the
basis for assessing
control risk less
than 100%
Yes
Is the
control activity
operating
effectively?
No
Perform the planned (or revised)
substantive procedures
Assess high or
maximum (100%) control
risk and design the
audit program for more
effective substantive
procedures
192 Part Two The Financial Statement Audit
Phase 1: Understand and Document the Client’s Internal Control System
The process of obtaining an understanding of the client’s internal control system and then
documenting that understanding should occur during the early stages of an audit engagement. On every audit engagement, the audit team should evaluate the design of the internal
control system and determine whether control activities have been implemented over
each relevant assertion related to each of the identified significant accounts and financial
statement disclosures. The initial procedures used to gain an understanding of internal
controls need to provide the audit team with an understanding of the control environment and
management’s risk assessment, the flow of transactions through the accounting system,
and the design of some client control activities.
Gaining an understanding of internal controls should be performed in a “top-down”
risk-based manner that first identifies significant accounts and disclosures and their
relevant assertions. This was discussed in Chapter 4. Recall that an account’s significance
is based in large part on its inherent risk (i.e., the likelihood of containing a material
misstatement before the consideration of internal control). Thus, audit teams focus on
likely sources of material misstatements. This determination is not based on quantitative
measures alone, however it is unlikely that a large, material account balance would ever
be omitted from consideration at this stage of the audit. Relevant assertions are those that
represent the reasonable possibility of a material misstatement. Thus, an assertion that
does not represent a meaningful risk of misstatement (e.g., completeness of cash) is not
relevant and should not be considered by the audit team.
Obtaining an Understanding of Internal Control
As previously stated, for each of the relevant assertions related to each significant account
and disclosure identified, audit teams begin by examining entity-level controls, controls
that are pervasive to the internal control system and the reliability of the financial statements
taken as a whole. See Exhibit 5.8 for a list of entity-level controls as identified in professional standards and the audit team’s methods used to obtain an understanding of such
controls. You will note that the standard setters explicitly include parts of each of the
EXHIBIT 5.8 Entity-Level Controls and Their Assessment
Types of Entity-Level Controls
Assessment
• Controls related to the control environment
• Controls related to management override
• Centralized processing and controls
including shared service environments
• Controls to monitor results of operations
• Controls to monitor other controls.
The primary evidence to test these controls is gathered through observation and
inquiry and some document examination. Ultimately, the auditor needs to determine
whether management’s integrity, values, and operating style promote effective control
consciousness throughout the entity.
• Management’s risk assessment
The audit team next needs to gain an understanding of how the client assesses and
responds to risk. If the client already uses enterprise risk management, inquiring and
obtaining documentation of such processes is usually enough.
• Period-end financial reporting process
The auditor should assess the processes that are used to produce its annual and quarterly
financial statements, including the extent to which information technology is involved in
the period-end process. The auditor must document who is actually participating from the
management team and where the process actually takes place. Finally, the auditor needs
to understand and document the types of adjusting entries that have occurred and the
extent of process oversight by the management team, the board, and the audit committee.
• Policies that address significant business
control and risk management practices
An entity’s internal auditors and systems staff often review and evaluate this
documentation. Independent auditors may review and study their work instead of doing
the same tasks over again. Other sources of information include (1) previous experience
with the entity as found in the prior-year audit, (2) responses to inquiries directed to client
personnel, and (3) examination of documents and records.
Chapter 5 Risk Assessment: Internal Control Evaluation 193
components of the COSO framework. This is deliberate. If the audit team decides that
an entity-level control sufficiently reduces a specific risk of material misstatement for a
relevant assertion, it may not need to delve further into transaction-level controls (discussed next) related to that risk. For example, if a chief financial officer who is very
familiar with the company’s payroll process performs reviews of weekly payroll reports
and investigates discrepancies thoroughly, this may provide a control that is sufficient to
meet the internal control objectives for payroll reporting (i.e., address or mitigate the risk
of material misstatement for each of the relevant assertions for payroll expense).
In addition to entity-level controls, the audit team also identifies transaction-level
controls, controls that pertain to specific classes of transactions, account balances, and
disclosures. The most effective method used by auditors to gain an understanding of the
internal control system is to perform a walkthrough of a single transaction through the entire
accounting system. During the walkthrough, the auditor is able to learn by observing the
activities that occur and the documents that are used within an internal control process.
When doing so, the professional standards state that auditors should seek to understand
(1) the flow of transactions; (2) the points in the process where a material misstatement
could occur; and (3) the controls that management has put in place to mitigate each risk
of material misstatement that is identified. The auditor must gain this understanding of
internal control in order to evaluate design effectiveness.
Design effectiveness determines whether the internal controls over financial reporting,
if operating effectively, would be expected to prevent or detect errors or fraud that could
result in a material misstatement in the financial statements. The techniques used by auditors
during a walkthrough include inquiry of personnel, observation of the client’s operations,
and examining documents while tracing a single transaction through the entire audit trail
from the beginning or the initiation of the transaction to its final inclusion in the financial
statements. Each client employee involved is asked to demonstrate the procedures that
he or she follows in processing the transaction. This aspect of the walkthrough is quite
important because, often, the information that is contained in procedure manuals and
understood by supervisors may not be the same as the procedures that are actually being
performed. People can change procedures to make them more efficient, they can forget to
perform procedures, they may go on vacation, they may even intentionally fail to perform
required procedures, or the procedures may not be well understood by the employee.
Once the walkthroughs are completed, the audit team has gained an understanding of the
design of internal controls (or at least how those internal controls are intended to function).
However, this does not necessarily inform the audit team about the operating effectiveness
of internal controls (unless there were automated controls testing or reperformance tests
completed during the walkthrough). Operating effectiveness refers to whether the control is
operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. Obtaining evidence to
test the operating effectiveness of identified internal controls will be discussed in a subsequent phase of the audit team’s evaluation of the internal control system.
Document the Internal Control Understanding
Once the audit team has completed the walkthrough and learned about the nature of the control
activities implemented and the design of the entity’s internal control system, they must document that understanding. The understanding can be summarized and documented effectively
in the form of narratives, flowcharts, and even questionnaires. Each of these is now discussed.
The most common way for documenting the audit team’s understanding of internal
control is to write a narrative description of each significant process within the internal
control system. Such a narrative is designed to describe all environmental elements, the
process flow of transactions through the accounting system, and all of the control activities that have implemented. The narrative description can be quite useful for all audits.
However, for larger complex entities which operate in multiple industries around the
world, it can be difficult to identify all of the process risk points, which are the points in
each process where a material misstatement might occur. As a result, auditors will often
augment the narrative description with a flowchart.
194 Part Two The Financial Statement Audit
Indeed, an accounting process flowchart is another commonly used method for documenting the auditors’ understanding of an entity’s internal control system. And, perhaps
most importantly, most companies have their own flowcharts that the audit team may use as
a starting point instead of constructing their own from scratch. The advantages of flowcharts
can be summarized by an old adage: “A picture is worth a thousand words.” Flowcharts tend
to help the audit team better assess the points in the process where a material misstatement
can occur which helps to reveal key points in the process where a control activity is needed.
This of course can be quite beneficial in helping audit teams identify missing control activities in the process.
Construction of a flowchart can be time-consuming because an auditor must take the
time to learn about the operating personnel involved in the system and gather samples of
relevant documents. Thus, the information for the flowchart, like the narrative description, involves much effort and observation. When the flowchart is complete, however,
the result is an easily evaluated, informative description of the system that shows the
various duties performed by individuals and provides graphic evidence of any conflicting responsibilities (i.e., lack of separation of duties). Further, once a flowchart is complete, subsequent audits can easily access the flowchart and update it for changes that
have been made in the process since the prior year. In recent years, flowcharting has
become even more popular as a way to document an auditor’s understanding of the internal control system, primarily because of its effectiveness in evaluating internal control
design. In addition, advances in technological tools have also made the construction of a
flowchart much more efficient.
Refer to Exhibit 5.9 for a partial flowchart representation of the beginning stages of a
payroll processing system. The connectors shown by the circled numbers indicate continuation on the flowchart. Ultimately, the flowchart ends showing entries in accounting
journals and ledgers. In Exhibit 5.9, you can see some characteristics of both flowchart
EXHIBIT 5.9 Payroll System Flowchart
Operating
Department
Human
Resources
Initiates
Hiring
Approves
Hiring
Time
Record
To
Employee
Update
Master
File
1
Review
Payroll
Master
File
Employment
Authorization
Employment
Authorization
Approved
by
Supervisor
Labor
Distribution
Information
Technology
Payroll
Payroll Program
3
2
Tax and
Payroll
Reports
Payroll
Register
1
Paycheck
or
Direct Deposit
Labor
Distribution
2
Payroll
Register
3
Tax and
Payroll
Reports
Review
Source: The Committee of Sponsoring Organizations of the Treadway Commission. COSO Internal Control - Integrated Framework Principles.
Accessed June 25, 2019 (online source).
Chapter 5 Risk Assessment: Internal Control Evaluation 195
construction and this specific accounting system. By reading down the columns for each
department, you can see that transaction-initiation authority and custody of checks are
separated (i.e., separation of duties).
Most importantly, for any flowcharting application, the chart must be understandable
to an audit supervisor. Flowcharts are created with audit-specific flowcharting software
but also can be created rather easily in Excel or PowerPoint. The flowchart should communicate all relevant information and evidence about separation of duties, authorization,
and accounting and control activities in an understandable, visual form. The starting
point in the system, if possible, should be placed at the upper-left-hand corner. The flow
of procedures and documents should be from left to right and from top to bottom as much
as possible. The shapes of the symbols are commonly understood and fairly obvious.
For example, rectangles are processes, circles are connectors, quadrilaterals are manual
processes, and so on. Narrative explanations should be written on the face of the chart as
annotations or in a readily available reference key.
A third way to document the auditor’s understanding of an internal control system is to conduct a formal interview with knowledgeable managers using an internal control questionnaire illustrated in Exhibit 5.10. Such a questionnaire is typically
organized under headings that identify questions related to relevant themes like the
control environment and relevant management assertions. Not all questionnaires are
organized like this, so audit teams need to know the general objectives in order to know
whether the questionnaire is complete. Likewise, if you are assigned to prepare an
internal control questionnaire, you will need to be careful to include questions about
each relevant assertion.
Internal control questionnaires are designed to help the audit team obtain evidence
about the control environment and the accounting and control activities that are considered appropriate for normal circumstances. All organizations have unique features,
and answers to the questions should not be taken as final and definitive evidence about
how well controls actually function. Evidence obtained through the interview process is
categorized as inquiry-level information that is not sufficient to demonstrate the operating effectiveness of a control activity. The person being interviewed could always give
answers that reflect what the system should be rather than what it really is. The person
can be unaware of informal ways in which duties have been changed or can be innocently
ignorant of the system details. Nevertheless, interviews and questionnaires can be useful
for detecting internal control weaknesses.
As we move forward to the next step of assessing control risk for each relevant assertion, it is important to point out that, in practice, audit teams typically use a combination
of methods to document their understanding of a client’s internal control system.
REVIEW CHECKPOINTS
5.20 What is an entity-level control and why is it important to the evaluation of internal controls?
5.21 What is a transaction-level-control?
5.22 What are the three different ways an auditor can document their understanding of a client’s internal control system?
5.23 What are the advantages and disadvantages of documenting internal control by using (1) an internal
control questionnaire, (2) a narrative memorandum, and (3) a flowchart?
196 Part Two The Financial Statement Audit
EXHIBIT 5.10 Internal Control Questionnaire—Payroll Processing
Yes/No
Comments
Control Environment
1. Are all employees paid by check or direct deposit?
2. Is a special payroll bank account used?
3. Are payroll checks signed by persons who do not prepare checks or keep cash funds or accounting records?
4. If a check-signing machine is used, are the signature plates controlled?
5. Is the payroll bank account reconciled by someone who does not prepare, sign, or deliver paychecks?
6. Are payroll department personnel rotated in their duties? Required to take vacations? Bonded?
7. Is there a timekeeping department (function) independent of the payroll department?
8. Are authorizations for deductions signed by the employees on file?
Occurrence
9. Are time cards or piecework reports prepared by the employee approved by her or his supervisor?
10. Is a time clock or other electromechanical or computerized system used?
11. Is the payroll register sheet signed by the employee preparing it and approved prior to payment?
12. Are names of terminated employees reported in writing to the payroll department?
13. Is the payroll periodically compared to personnel files?
14. Are checks distributed by someone other than the employee’s immediate supervisor?
15. Are unclaimed wages deposited in a special bank account or otherwise controlled by a responsible officer?
Completeness
16. Are names of newly hired employees reported in writing to the payroll department?
17. Are blank payroll checks prenumbered and the numerical sequence checked for missing documents?
Accuracy
18. Are all wage rates determined by contract or approved by a personnel officer?
19. Are timekeeping and cost accounting records (such as hours, dollars) reconciled with payroll
department calculations of hours and wages?
20. Are payrolls audited periodically by internal auditors?
21. Are individual payroll records reconciled with quarterly tax reports?
Classification
22. Do payroll accounting personnel have instructions for classifying payroll debit entries?
Cutoff
23. Are monthly, quarterly, and annual wage accruals reviewed by an accounting officer?
Phase 2: Assessment of Control Risk
Understand
and
Document
the Client’s
Internal
Control
Assessment
of Control
Risk
Identify
Controls
to Test
and
Perform
Tests of
Control
After completing the first phase of understanding and documenting internal control, the
audit team should be able to make a preliminary assessment of control risk for each relevant assertion identified during the planning stage. At this preliminary stage, the audit
Chapter 5 Risk Assessment: Internal Control Evaluation 197
team is assessing the internal control design to determine if it might be possible to rely
upon the internal control system during the financial statement audit. At this point in the
process, the audit team may also use their internal control findings from the previous
year’s audit to help inform this preliminary assessment. When doing so, auditors seek to
identify internal control activities that are explicitly designed to support reliable financial
statement reporting for the relevant financial statement assertion identified about each
significant account and disclosure. In a sense, the audit team must ask whether the client
has put internal control activities in place that are designed to prevent or detect material
misstatements for the relevant assertions. For an integrated audit at an issuer, the auditor
must test controls for all relevant assertions for each significant account and disclosure.
This will be discussed in detail in Module I. However, for audits of nonissuers, after the
audit team members have documented their understanding of the entity’s internal control,
an important decision needs to be made: Should the audit team perform tests of the operating effectiveness of those controls?
Deciding Whether to Perform Tests of Controls
When making the important decision of whether to perform test controls or not, it is
important to remember that audit teams may choose not to perform tests of controls for
one of two reasons:
1. The audit team may conclude that the internal control system is ineffective.
2. The costs of testing the operating effectiveness exceed the cost of substantive testing.
Each of these reasons is now discussed in greater detail. Related to the first reason,
after gaining an understanding of the internal control system, the audit team may conclude
that the internal control system is too ineffective in preventing or detecting misstatements
to rely upon and justify reductions of subsequent substantive audit procedures for the
relevant assertions identified during the planning stages. This conclusion is equivalent to
assessing control risk at the highest level and planning more extensive substantive testing
procedures. In such a situation, since the audit team would not likely be able to rely upon
the internal control system, they would have no choice but to conduct significant substantive testing to make sure that the audit is conducted in an effective manner.
The second reason that audit teams might not test controls would be the team’s decision
that it would take more time to test the operating effectiveness of the control activities than
it would take to perform the substantive tests that would be necessary to obtain enough comfort for a relevant assertion. In order to make such a decision, audit teams typically will have
to design a preliminary program of substantive procedures that would have to be completed
in order to obtain enough comfort if tests of controls were performed and the controls were
operating effectively and compare that result to the substantive procedures that would have
to be completed if tests of controls were not performed. In a sense, this is purely a decision
made by the audit team that relates to the profitability of the audit engagement and reflects
the reality that the cost of obtaining a low control risk assessment can be high (because of
the time needed to conduct tests of operating effectiveness of control activities.
For either reason, however, the result is the same if the audit teams makes the decision
to not perform tests of controls: control risk is assessed at the maximum level and more
extensive substantive procedures are required to be completed in order to reduce the risk
of material misstatement for a relevant assertion to an acceptably low level. For example,
suppose that completion time for tests of controls for the accuracy of payroll expense
is estimated as 40 hours. Also suppose that, if the tests of controls provided evidence
that the controls were in fact operating effectively, the substantive testing needed for the
accuracy assertion for payroll expense (e.g., confirmation sent to employees) could be
reduced by 30 hours. In this scenario, the additional work needed to perform the tests of
controls would not be economical. The decision to stop work on control risk assessment
in this case is a matter of audit efficiency—it doesn’t make sense to spend 40 hours testing controls to reduce substantive tests by 30 hours. Of course, the auditors’ rationale for
their final decision must be carefully documented. Before moving on, remember that this
198 Part Two The Financial Statement Audit
EXHIBIT 5.11 What Could Go Wrong and Control Activities
Significant
Account
Relevant Assertions
What Could Go Wrong?
Internal Control Activity
Cash
Existence
The cash balance may not exist in the
company’s bank accounts.
The CFO performs a detailed review of the bank
reconciliation on a monthly basis.
Valuation
The cash balance that is held in foreign
countries may not have been translated
properly.
The treasurer reviews the cash translation adjustment
calculation monthly and independently checks that the
appropriate spot rate has been used for each foreign
currency.
Presentation and
disclosure
There may be restrictions on the cash
balance that were not properly disclosed.
The corporate secretary reviews the cash footnote
disclosure on a quarterly basis to ensure that all legal
restrictions on the cash balance have been properly
disclosed.
Existence
Accounts receivable balances are inflated
and don’t really exist.
Check sales order and shipping document to make
sure sales were earned and a customer owes a
balance.
Completeness
Not all accounts receivable have been
recorded.
Check invoices with shipping document to A/R ledger.
Valuation
Receivables are not included in financial
statements at the appropriate amount,
and valuation adjustments are not
recorded properly.
Management evaluates the collectability of delinquent
receivables on a timely basis.
Accounts
Receivable
Source: The Committee of Sponsoring Organizations of the Treadway Commission. COSO Internal Control - Integrated Framework Principles. Accessed June 25, 2019
(online source).
decision is appropriate only for nonissuers; (i.e., nonpublic entities) audit teams must perform tests of controls over financial reporting for issuers, which is covered in Module I.
Remember, at this stage of the process, auditors are trying to identify the control activities that may be relied upon as part of the overall audit process. To do so, auditors need to
identify the controls that they believe will mitigate the risks of material misstatement that
have already been identified for each of the relevant assertions when gaining an understanding of the internal control system. In a well-designed internal control system, the key internal
control activities will be clearly linked to the relevant financial statement assertions being
supported by the control. Exhibit 5.11 provides an illustration of this step by extending the
exhibit that was developed in Chapter 4 (Exhibit 4.12) with a fourth column.
When identifying these control activities, auditors will often categorize controls as
either preventive or detective, automated or manual, and will also note how often the control is performed (e.g., daily, weekly, monthly, etc.). The categorization process helps an
auditor to better understand each control which facilitates internal control testing. Indeed,
it is important to remember that any control that may be relied upon would have to be
tested before the audit team could rely on them to reduce substantive testing. However,
it is important to point out that audit teams should not perform tests of controls for those
controls that will not be relied upon because there is no need to prove that they are operating effectively. Doing so would be inefficient. Instead, the audit team would have to
perform additional substantive procedures to compensate for the lack of internal controls
that could be relied upon to obtain sufficient appropriate evidence that would allow the
auditor to reach a conclusion for each of the related relevant assertions.
Tests of controls must be performed to obtain evidence as to whether control activities
that are candidates to be relied upon actually operate as described. The test of controls
audit plan consists of procedures designed to produce evidence of how effectively the
controls actually operate in practice. If they are determined to be operating effectively
after testing, control risk can be assessed below the maximum. If they do not operate with
the required level of effectiveness, the final conclusion is to assess a high control risk,
revise the audit plan to consider the control weakness, and then proceed with additional
substantive audit procedures.
Chapter 5 Risk Assessment: Internal Control Evaluation 199
The distinction between the understanding and documenting phase and assessing the control risk is useful for understanding the audit team’s study and evaluation of internal control.
However, the audit team may very well perform these phases together, and not necessarily
as separate and distinct audit tasks. For nonissuers, the audit team can halt the control evaluation process for efficiency or effectiveness reasons. However, if the audit team wants to
justify a low assessment of control risk that will reduce the substantive audit procedures for
a particular relevant assertion, the evaluation must be continued in phase 3, the testing phase.
To summarize, then, at this stage, the audit team members have now assessed control risk
for each relevant assertion based on its understanding and documentation of internal control. If this assessment is lower than the maximum level (i.e., the audit team members have
decided to rely on internal controls to reduce the extent of substantive testing), the auditors
must next perform tests of controls. This final phase is discussed in the next section.
Phase 3: Identify Controls to Test and Perform Tests of Controls
Understand
and
Document
the Client’s
Internal
Control
Assessment
of Control
Risk
Identify
Controls
to Test
and
Perform
Tests of
Control
As stated above, the process of identifying controls to test begins when auditors have determined that a control, if operating effectively, will reduce the risk of material misstatement
for an identified relevant assertion and that it makes sense to test those control activities.
These represent controls that have been assessed as low control risk and are often referred
to as controls on which the audit team intends to rely upon as part of the financial statement
audit process. To support the reduced control risk assessment and the reduction of related
substantive procedures for each relevant assertion, audit teams must test the control activities to determine whether they are operating effectively throughout the period. The required
level of effectiveness is a matter of professional judgment. Audit teams know that operating
effectiveness cannot realistically be expected to be perfect. The auditors could decide, for
example, that evidence such as 98 percent of recorded payroll being supported by validated
time cards may be sufficient to assess a “low” control risk for the occurrence assertion.
Most public accounting firms have internal guidelines to determine the acceptable rate of
compliance for an internal control activity to be considered effective. Generally, if a control
is judged to be more important and would result in a more significant reduction in substantive testing, the level of compliance must be higher. Factors to consider in determining
appropriate levels of compliance are discussed in more detail in Module E.
Performing Tests of Control
The professional standards make clear that when designing tests of controls, the auditor
needs to consider the means of selecting items for testing. For tests of internal controls,
there are two approaches that are commonly used: (1) testing all items in a population and (2) testing a sample from a population. The decision of which approach to use
depends on the nature of the control that is being tested, along with the availability of
data. For example, a control activity that is entirely automated might best be tested by
an automated audit procedure that can be efficiently and effectively applied to the entire
population of occurrences of that control activity. However, for a manual control activity,
the auditor is likely to take a sample from the population of occurrences of that control
activity. In addition, it should be noted that some manual controls (such as locking a door
to safeguard assets) may have little documentation and may require other means of testing (e.g., observation and inquiry). Not surprisingly, the increased use of computers by
both the client and the auditor has dramatically increased the number of tests of control
that can be effectively applied to the entire population of control occurrences in an efficient manner.
200 Part Two The Financial Statement Audit
For example, one way to subject all items in a population of occurrences for a particular
control activity is to use exception testing. Exception testing is designed to identify a
violation of a particular control activity through the use of an automated test procedure
designed to test all items in a population. For example, consider an entirely automated
control activity that is designed to compare a customer’s credit limit to the sum of (1)
a potential sales transaction and (2) that customer’s outstanding credit balance before
approval of that sales transaction. If the control activity operated effectively throughout
the year, a customer’s outstanding credit balance would not exceed its credit limit.
Given the nature of the control activity, one way to test the operating effectiveness
would be through the use of exception testing. That is, an auditor could obtain evidence
about the control’s operating effectiveness by using a procedure that compares each
customer’s credit limit to that customer’s outstanding credit balance at the end of each
day for the year under audit. Such a testing strategy would not have been possible (at
least economically) historically. However, due to advances in information technology,
such testing is now possible. As a direct result, entry-level audit professionals are now
expected to consider the full extent of client data available for testing purposes, before
they move forward with audit tests.
USING IDEA IN THE AUDIT
IDEA can be helpful to audit professionals when completing exception
tests and conducting audit sampling. Ultimately, exception tests provide
evidence about the operating effectiveness of internal control activities
by testing all items in a population and can be a highly efficient manner
to complete testing. For sampling, module E provides a detailed illustration
Internal Control Testing
of how auditors use the sampling features of IDEA to select a representative sample from a complete population of control occurrences
for a control activity to be tested.
At the end of this chapter, problems 5.63 and 5.64 can be
completed to illustrate the use of IDEA during internal control testing.
Of course, there are many control activities that do not lend themselves to automated
audit testing. In such situations, auditors are likely to take a sample from the population
of occurrences for the control activity being tested. Most importantly, in such situations,
the population being sampled must include all occurrences of the relevant control activity
for the entire period of reliance, and the sample must be representative of that population
to be considered appropriate audit evidence.
Tests of controls, when performed, should be applied to samples of transactions and control activities executed throughout the period under audit. The reason for this requirement
is that the conclusions about controls will be generalized to the whole period under audit.
If the auditor obtains audit evidence about the operating effectiveness of controls during
an interim period, additional audit evidence should be obtained for the remaining period.
There are certain situations when audit teams can rely on tests from previous periods if they
have evidence that the procedure has not changed and the auditor does not believe there is
a significant risk of material misstatement. However, in an annual audit, the auditor may
not rely on audit evidence about the operating effectiveness of controls obtained in prior
audits, for controls that have changed since they were last tested or for controls that mitigate
a significant risk. Audit sampling is discussed in detail in Module E.
Methods Used to Perform Tests of Controls
Once the items have been selected for testing, the four methods of testing controls are:
inquiry, observation, document examination, and reperformance. Generally, audit teams
use inquiry about the existence of control activities and then corroborate the oral evidence by observing that the client-described control activities are actually being performed. Observation occurs when auditors have eyewitness observation of employees at
Chapter 5 Risk Assessment: Internal Control Evaluation 201
their jobs performing control activities. Observation is typically used when certain control
activities, such as separation of employees’ duties, leave no documentary evidence for
subsequent examination. Observation also can produce evidence of access controls such
as the use of password-secured access to the computerized information system, locked
doors, and security guards. The limitation of observation is that this test of control is performed as of one point in time (usually near year-end), and what is observed at that point
in time may not be representative of prior time periods.
Some tests of controls depend on documentary evidence such as a payroll entry supported
by a time card. In these cases, document examination for evidence of signatures, initials,
checklists, reconciliations, and the like provides better evidence than procedures that leave
no documentary tracks. Document examination might be enough; the audit team may look to
see whether the documents were marked with an initial, signature, or stamp to indicate they
had been checked. For example, audit teams could examine canceled checks for authorized
signatures, inspect voucher packets for the initials of the employee who matched vendor
invoices with supporting purchase orders and receiving reports, or examine bank reconciliations
to make sure that they have been performed on a timely basis.
Generally, the most effective test of controls is reperformance. Reperformance can
involve any client internal control activity, such as the detailed review of the monthly
bank reconciliation by the entity’s controller. For this control, the auditor would follow
up on each reconciling item reviewed by the controller and then reperform each of
the mathematical calculations. The key difference between document examination and
reperformance is that with the former, audit teams inspect documents for evidence
that employees have performed the control activity; reperformance provides direct
evidence that the control activity was (or was not) done correctly. Exhibit 5.12 puts
control testing within the perspective of the payroll function with examples of specific
assertions being supported. Appendix 5A illustrates a sample audit plan for these tests.
Overall, the audit team’s choice of which method to use in order to perform a test of
controls to use depends on the nature and importance of the control activity being tested.
Not surprisingly, certain types of tests produce more persuasive evidence about the operating effectiveness of a control activity than others. The following hierarchy lists the type
of control tests from the least persuasive (inquiry) to the most persuasive (reperformance)
type of evidence:
∙
∙
∙
∙
Inquiry of client personnel.
Observation of the control activity being performed.
Inspection of relevant documentation.
Reperformance of the control activity.
Importantly, if the control activity has high risk, the audit team needs more persuasive evidence about its operating effectiveness than it would for a lower risk control
in order to determine if it is operating effectively. Since gathering more persuasive
evidence is typically associated with a higher cost than gathering less persuasive evidence, if the audit team wants to achieve a lower control risk assessment, it will be
more costly. This is why it may be more efficient for the auditor to choose not to rely
on controls and instead rely on substantive testing procedures to gain assurance for
certain significant accounts.
Of course, the level of automation of the control activity will also have a big impact on
the nature of the tests of control being performed. That is, for manual controls that rely on
a system-generated report, the audit team would have to separately test whether the report
is being generated by the system in a complete and accurate manner. In addition, for automated control activities that operate entirely within the entity’s computer information
system, the audit team would have to perform tests on the system to make sure that the
control is operating effectively. The auditing considerations that are relevant to testing the
completeness and accuracy of system-generated reports and testing the operating effectiveness of purely automated controls are discussed in detail in Module H.
202 Part Two The Financial Statement Audit
Direction of the Tests of Controls
The tests of controls in Exhibit 5.12 are designed to test the payroll accounting cycle
in two directions. One is the tracing/completeness direction, whereby the audit team is
interested in ensuring that all valid hours are included in the entity’s payroll records; as
a result, time logs (which represent valid hours worked) are traced to payroll department
files and the payroll register (which represents hours included in the payroll records).
Exhibit 5.13 shows that the sample for this direction is taken from the population of time
logs (including listings of electronic clock-ins).
For the vouching/occurrence direction, the purpose of the test is to ensure that all labor
hours included in the payroll (represented by the payroll register) were actually worked
(represented by time logs). As a result, entries would be selected from the payroll register and vouched back to the time logs by the auditor. Because payroll provides access to
cash, this cycle is highly susceptible to fraudulent activity on the part of an organization’s
employees. If a fictitious employee were created and added to the payroll, his or her pay
could be deposited into another person’s account. Of course, this is relatively difficult to
detect given that most paychecks are direct deposited.
Reassess the Assessment of Control Risk
The audit team should evaluate the evidence obtained from an understanding of the
client’s internal control and from the related tests of control activities. If control risk
(and the related RMM) is assessed very low, the substantive procedures on the relevant
EXHIBIT 5.12 Relevant Assertions about Payroll Cycle Transactions
Control to Mitigate the Risk of Material
Misstatement
Tests of Controls
Occurrence. Payroll and related events
that have been recorded have occurred
and pertain to the entity.
1. Payroll accounting is separated from
personnel and supervision.
2. Labor usage reports are compared to
job time tickets or lists of amount of time
clocked.
3. Payroll supervisor approved labor usage.
1. Observe separation of duties.
2a. Vouch labor costs to labor reports.
2b.Vouch labor reports to time tickets
authorized by management.
3. Examine documentary evidence of
supervisor approval.
Completeness. All payroll events that
occurred should have been recorded.
1. All documents are prenumbered and
numerical sequence reviewed.
2. Labor costs were reviewed by supervisors
and compared to budgets.
3. The personnel department notified the
payroll department of new hires to include
in payroll.
1. Inspect numerical sequence of selected
job cost tickets and paychecks.
2. Examine documentary evidence of
supervisor review of labor costs.
3. Trace a sample of employees in the
personnel file to payroll time logs and the
payroll register.
Accuracy. Payroll amounts and related
data have been recorded accurately.
1. Payroll entries are reviewed by a person
independent of preparation.
2. Budgeted payroll expenses by department
are compared to actual expenses.
1. Examine evidence of review and ensure
that a party independent of preparation
conducted the review.
2. Examine documentary evidence of budget
comparison.
Classification. Payroll-related events are
recorded in the proper accounts.
1. Job cost sheets are posted weekly and
1. Observe that payroll account distribution
summary journal entries of work-in-process
and job cost sheets agree.
and of work completed prepared monthly. 2. Examine supervisor signature on payroll
2. Payroll supervisor is required to approve
reports. Note evidence of comparison to
budget.
distribution of payroll expense accounts
and to compare payroll costs to budget.
Cutoff. Payroll-related events have
been recorded in the correct accounting
period.
1. Payroll reports are prepared weekly and
transmitted to cost accounting.
Relevant Assertion
1. Observe that the date of payroll reports
agrees with dates in weekly journal
entries.
Chapter 5 Risk Assessment: Internal Control Evaluation 203
EXHIBIT 5.13
Dual-Direction Test of
Payroll Controls
Vouching/Tracing (Payroll Cycle)
Q: Did all
recorded labor hours
actually occur?
Summary Listing
[Payroll Journal]
Vouching
(Occurrence)
Tracing
(Completeness)
Source Documents
[Time Logs]
Q: Were all labor hours
recorded?
assertions for significant account balances can be limited, as previously discussed. For
example, detailed vouching of recorded labor costs as a substantive test might be considered unnecessary or the audit team might decide it is appropriate to place considerable
reliance on control activities in the payroll system. On the other hand, if tests of control activities reveal that the controls are not operating effectively, the RMM would be
assessed at higher levels and substantive procedures would need to be increased in order
to mitigate the risk of material misstatement for the relevant assertion related to the significant account (i.e., payroll expense) in the financial statements.
Perhaps not surprisingly, the final assessment of control risk (and consequently,
the RMM) can be a difficult professional judgment. In the relevant sampling module
(Module E), you will find explanations of sampling methods for performing tests of controls of the type illustrated in Exhibit 5.12. Further discussion of reaching a final assessment of control risk (and RMM) is covered in that module. However, remember that,
in a sense, the overall evaluation of an entity’s internal control system is based on the
assessment of the control risk related to each relevant assertion for the identified significant accounts and disclosures. These assessments are the auditors’ expression of the
effectiveness of control activities for preventing, detecting, and correcting specific errors
and frauds in management’s relevant financial statement assertions.
An assessment of control risk should be coordinated with the final audit plan, which
includes the list of substantive procedures to detect material misstatements in account
balances and financial statement disclosures for each relevant assertion. Note that the
reassessment of control risk typically can go only one direction: upward. If the controls
are not functioning as described, they cannot be relied upon. On the other hand, even if
weak controls are functioning, they are still weak and do not reduce the risk of material
misstatement. There is one exception and that would be if the audit team finds that they
were in error during the understanding of internal controls phase and the auditor becomes
aware of additional controls about which they were previously unaware of. In that case,
lowering control risk might be considered.
Thus far, our discussion of tests of control activities and substantive procedures has
assumed that these are easily distinguishable. Be advised, however, that general audit
procedures can at times be used as dual-purpose tests. That is, a single audit test can
produce both control and substantive testing evidence and, thus, serve both purposes.
For example, a selection of recorded payroll entries could be used to (1) vouch payroll
to time cards and (2) calculate the correct dollar amount of payroll. The first procedure
provides relevant information about an important control activity. The second provides
dollar value information that can help offer substantive evidence to support the account
balance in the financial statements.
204 Part Two The Financial Statement Audit
REVIEW CHECKPOINTS
5.24 What are tests of control activities?
5.25 What are the two reasons that an auditor may use to decide not to test controls on a financial
statement audit of a nonissuer?
5.26 What are the four methods used to perform tests of control?
5.27 What is the difference between document examination and reperformance when conducting tests
of controls?
5.28 What purposes are served by a dual-purpose test?
INTERNAL CONTROL COMMUNICATIONS
LO 5-5
Explain the communication
of internal control
deficiencies to those
charged with governance,
such as the audit committee
and other key management
personnel.
During the financial statement audit, there are times when the audit team determines that
the internal control system has not been designed in a manner that will prevent or detect
material misstatements. Also, there are times when the audit team determines that an
internal control activity is not operating effectively. An internal control deficiency exists
when either the internal control design or the operation of the control activity under consideration does not allow the entity’s management or employees to detect or prevent misstatements in a timely fashion. A design deficiency is a problem relating to either a control
activity that is missing, or an existing control activity that is so poorly designed that it
fails to satisfy the control’s objective. An operating deficiency, on the other hand, occurs
when a control does not operate as it was designed to or when the person responsible for
completing the control does not possess the authority or the competence to perform the
control in an effective manner (possibly because employees are poorly trained). More
serious internal control deficiencies can be categorized into one of two groups—material
weaknesses or significant deficiencies—depending on their severity.
∙ A material weakness in internal control is defined as a deficiency, or combination of
deficiencies, that results in a reasonable possibility that a material misstatement would
not be prevented or detected on a timely basis.
∙ A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention
by those charged with governance.
The primary difference between a significant deficiency and a material weakness
involves the magnitude of the potential misstatement that could occur and would not be
detected on a timely basis. As the potential misstatement reaches overall materiality, an
auditor may conclude that a material weakness exists. The final determination is always a
matter of professional judgment.
For each financial statement audit engagement, the audit team must communicate
significant deficiencies and material weaknesses in internal control that come to their
attention during the performance of the audit. Auditors’ communications of significant
deficiencies and material weaknesses are intended to help management carry out its
responsibilities for internal control monitoring and change. However, external auditors’
observations and recommendations are usually limited to external financial reporting
matters.
The auditors’ internal control communication must be in writing and presented
to those in charge of governance (usually the audit committee). The communication
is to be addressed to management, the board of directors, or the audit committee. See
Exhibit 5.14 for an illustration of such a communication, in the form of a letter. In addition,
all deficiencies noted must be communicated in writing to management.
Chapter 5 Risk Assessment: Internal Control Evaluation 205
EXHIBIT 5.14
Internal Control
Communication
Michael Scarn, LLP
Scranton, PA
March 7, 2024
Board of Directors
Adams Company
In planning and performing our audit of the financial statements of Adams Company for the year ended
December 31, 2023, we considered its internal control in order to determine our audit procedures for the
purpose of expressing our opinion on the financial statements as well as the effectiveness of the company’s
internal control over financial reporting. Our consideration of internal control would not necessarily disclose
all deficiencies in internal control that might be significant deficiencies. However, we noted a certain
matter involving the internal control and its operation that we consider to be a significant deficiency under
generally accepted auditing standards.
The matter noted is that shipping personnel have both transaction-initiation and alteration authority
as well as custody of inventory assets. If invoice/shipping copy documents are altered to show a shipment
of smaller quantities than actually shipped, customers or accomplices can receive your products without
charge. The sales revenue and accounts receivable could be understated, and the inventory could be
overstated. This deficiency caused us to spend more time auditing your inventory quantities.
A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that
results in a reasonable possibility that a material misstatement would not be prevented or detected on a
timely basis. We do not believe that the significant deficiency described above is a material weakness.
This report is intended solely for the information and use of the board of directors and its audit committee,
and is not intended to be, and should not be, used by anyone other than these specified parties.
Respectfully yours,
Audit teams often issue another type of report to management called a management
letter. This letter may contain commentary and suggestions on a variety of matters in
addition to internal control matters. Examples include issues identified during the audit
related to operational and administrative efficiency, business strategy, and profit-making
possibilities. Auditing standards do not require management letters, but they represent a
type of value-added management advice rendered as part of an audit.
REVIEW CHECKPOINT
5.29 What is meant by an internal control deficiency?
5.30 What is a material weakness?
5.31 What is a significant deficiency?
5.32 What is the nature of communications about internal control that an audit team would provide to
an entity’s management, board of directors, or audit committee?
Summary
The purposes of the audit team’s evaluation of internal control are to assess the control
risk (as part of the overall assessment of the RMM) in order to make the substantive audit
plan and to report control deficiencies to management and the board of directors.
Internal control consists of five components: control environment, risk assessment,
information and communication system, control activities, and monitoring of the control
system. The auditor is required to gain an understanding of each of these components and
to document this understanding in the audit files. The control environment and management’s risk assessment are explained in terms of understanding the client’s business.
Elements of the accounting system are explained in conjunction with control activities
206 Part Two The Financial Statement Audit
designed to prevent, detect, and correct misstatements that occur in transactions. Documentation of an entity’s internal control system is accomplished through the use of questionnaires, flowcharts, and narratives.
Internal control is assessed in a top-down manner by which audit teams first identify
accounts that may contain significant risks of material misstatement. Audit teams then
identify which relevant assertions may be misstated. After determining “what could go
wrong,” audit teams examine entity-level controls that might mitigate the risk of material
misstatement. Finally, audit teams identify transaction level controls that would mitigate
any residual risks. If the audit team relies on controls, it must test the controls to ensure
they are operating effectively. Where controls are not in place to reduce the risk, or if
testing the controls would not be cost effective, substantive tests are designed to identify
any material misstatements.
It is important to distinguish the “client’s control activities” from the “audit team’s
tests of controls.” Control activities are part of the internal control designed and operated
by the entity. The audit team’s procedures are the audit team’s own evidence-gathering
work performed to obtain evidence about the client’s control activities.
Key Terms
audit committee: A subcommittee of the board of directors that is generally composed of three
to six “outside” members of the organization’s board of directors, 181
business risks: Those factors, events, and conditions that could prevent the organization from
achieving its business objectives, 182
control activities: The specific actions taken by a client’s management and employees to help
ensure that management directives are carried out, 183
control risk: The likelihood that the client’s internal control policies and procedures fail to
prevent or detect a material misstatement, 178
design effectiveness: A condition expressing whether controls would be expected to prevent or
detect errors or fraud that could result in a material misstatement in the financial statements, 193
detective controls: The activities that detect misstatements after they occur, 184
dual-purpose test: An audit procedure used as both a test of controls and a substantive test, 203
enterprise risk management (ERM): A process effected by an entity’s board of directors,
management, and other personnel applied in strategy setting and across the enterprise that is
designed to identify potential events that may affect the entity and to manage risks to be within its
risk appetite to provide reasonable assurance regarding the achievement of entity objectives, 182
entity-level controls: The controls that are pervasive to the financial statements taken as a whole, 192
flowchart: The audit documentation that provides a visual display of the accounting system and
control activities in an entity’s internal control system, 193
information system: An entity’s system, usually built on some type of technological platform
that has been designed to produce the information necessary for the entity to operate and control
its business operations, 188
internal control: Policies and procedures implemented by an entity to prevent or detect material
accounting frauds or errors and provide for their correction on a timely basis, 176
internal control deficiency: A condition that exists when the design or operation of a control
does not allow the entity’s management or employees to detect or prevent misstatements in a
timely fashion, 204
internal control questionnaire: The audit documentation that uses a checklist of internal control–
related questions to gain and document an understanding of the client’s internal control, 195
issuer: An entity that offers registered securities, such as stocks and bonds, for sale to the general
public (also known as a public entity). Issuers are subject to mandatory audit requirements, 175
material weakness: A deficiency or combination of deficiencies that results in a reasonable
possibility that a material misstatement would not be prevented or detected on a timely basis, 204
nonissuer: An entity that does not offer registered securities, such as stocks and bonds, for sale
to the general public (also known as a nonpublic entity). Nonissuers are not subject to mandatory
audit requirements, 197
narrative description: The audit documentation that describes the environmental elements, the
accounting system, and the control activities in an entity’s internal control, 193
Chapter 5 Risk Assessment: Internal Control Evaluation 207
operating effectiveness: Description of a condition expressing whether a control is operating as
designed and whether the person performing the control possesses the necessary authority and
qualifications to perform the control effectively. When a control is operating effectively, it is
helping to prevent or detect misstatements. 193
preventive controls: The activities that prevent misstatements before they occur, 184
reasonable assurance: The concept that recognizes that the costs of control activities should not
exceed the benefits that are expected from the control activities, 177
significant deficiency: A deficiency or a combination of deficiencies in internal control that is
less severe than a material weakness yet important enough to merit attention by those charged
with governance, 204
system-generated report: Any report that is generated by the audit client’s information system
that is used to execute its internal control procedures or produce its financial statements. It is
important to test that each system-generated report is complete and accurate if it is being used for
either of these purposes, 184
substantive procedures: The detailed audit and analytical procedures designed to detect material
misstatements in account balances and footnote disclosures, 203
transaction-level controls: The controls that relate to specific classes of transactions, account
balances, and disclosures, 193
walkthrough: The tracing of one or more transactions through the audit trail from initiation of
the transaction to its inclusion in the financial statements, 193
Multiple-Choice
Questions for
Practice and
Review
All applicable Exercises and Problems are available
with Connect
LO 5-3
5.33 The most important foundational component of an entity’s internal control system is
a. Effectiveness and efficiency of operations.
b. The control environment.
c. Reliability of financial reporting.
d. Compliance with applicable laws and regulations.
LO 5-4
5.34 The primary purpose for obtaining an understanding of internal control during the audit of a
nonissuer is to
a. Provide a basis for making constructive suggestions in a management letter.
b. Determine the nature, timing, and extent of further audit tests to be performed.
c. Provide the rationale for the inherent risk assessment at the financial statement assertion level.
d. Provide information for a communication of internal control–related matters to management.
LO 5-4
5.35 Effectiveness of audit procedures would be reduced by
a. Selecting larger sample sizes for audit.
b. Performing audit procedures at the fiscal year-end date as opposed to the interim period.
c. Deciding to obtain external evidence instead of internal evidence.
d. Performing procedures during the interim period as opposed to at the fiscal year-end date.
LO 5-4
5.36 To test the operating effectiveness of a control, an audit team might use a combination of
each of the following tests except for
a. Inquiry of client personnel.
b. Observation of company operations.
c. Confirmation of balances.
d. Inspection of documentation.
LO 5-4
5.37 Which of the following is a preventive control?
a. Reconciliation of a bank account.
b. Recalculation of a sample of payroll entries by internal auditors.
c. Separation of duties between the payroll and personnel departments.
d. Detailed fluctuation analysis completed by the CFO for revenue.
208 Part Two The Financial Statement Audit
LO 5-4
5.38 In most audits of large entities, control risk assessment contributes to audit efficiency, which
means that
a. The cost of substantive procedures will exceed the cost of control evaluation work.
b. Auditors will be able to reduce the cost of substantive procedures by an amount more
than the control evaluation costs.
c. The cost of control evaluation work will exceed the cost of substantive procedures.
d. Auditors will be able to reduce the cost of substantive procedures by an amount less than
the cost of tests of controls.
LO 5-4
5.39 Which of the following is a device designed to help the audit team obtain evidence about the
accounting and control activities of an audit client?
a. A narrative memorandum describing the control system.
b. An internal control questionnaire.
c. A flowchart of the documents and procedures used by the company.
d. All of the above.
LO 5-4
5.40 Tests of controls in a GAAS audit are used for
a. Obtaining evidence about the financial statement assertions.
b. Accomplishing control over the occurrence of recorded transactions.
c. Applying analytical procedures to financial statement balances.
d. Obtaining evidence about the operating effectiveness of client control activities.
LO 5-4
5.41 A transaction-level internal control activity is best described as
a. An action taken by auditors to obtain evidence.
b. An action taken by client personnel for the purpose of preventing, detecting, and correcting
errors and frauds in transactions to eliminate or mitigate risks identified by the company.
c. A method for recording, summarizing, and reporting financial information.
d. The functioning of the board of directors in support of its audit committee.
LO 5-4
5.42 The purpose of separating the duties of hiring personnel and distributing payroll checks is to
separate the
a. Authorization of transactions from the custody of related assets.
b. Operational responsibility from the record-keeping responsibility.
c. Human resources function from the controllership function.
d. Administrative controls from the internal accounting controls.
(AICPA adapted)
LO 5-4
5.43 If the auditor plans to assess control risk at less than the maximum and rely on controls, and
the nature, timing, and extent of further audit procedures are based on that lower assessment,
the auditor must
a. Obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance.
b. Assess control risk at less than the maximum for all relevant assertions.
c. Perform only substantive procedures.
d. Provide additional examples of responses to assessed fraud risks relating to fraudulent
financial reporting.
LO 5-4
5.44 If they decide to rely on internal controls, the audit team should assess control risk for relevant assertions by considering the evidence obtained from all sources, including
a. The auditor’s testing of internal controls from the prior year.
b. Misstatements detected during the financial statement audit.
c. Any control deficiencies identified during the audit.
d. All of these.
LO 5-4
5.45 When assessing control risk on a preliminary basis during a financial statement audit, a key
objective of evaluating the design of an internal control system is to
a. Determine that the company’s employees are executing the control activities in accordance with the operating manuals at the client.
Chapter 5 Risk Assessment: Internal Control Evaluation 209
b. Determine whether the company’s internal control activities mitigate the risk of material
misstatement for the relevant assertions if they operate effectively.
c. Determine that the data being relied upon by the client’s controller is complete and accurate.
d. Determine whether the company’s internal controls are operating effectively.
LO 5-1
5.46 According to the COSO Framework, internal control is a process that is designed to achieve
objectives in three different categories. Which of the following responses is not one of the
categories identified in the COSO Framework?
a. Effective and efficient operations.
b. Compliance with laws and regulations.
c. Relevant financial reports.
d. All these responses are categories in the COSO framework.
LO 5-5
5.47 A material weakness is a situation in which
a. It is probable that an immaterial financial statement misstatement would not be prevented
or detected and corrected on a timely basis.
b. There is a remote likelihood that a material misstatement would not be prevented or
detected and corrected on a timely basis.
c. It is reasonably possible that a material misstatement would not be prevented or detected
and corrected on a timely basis.
d. It is reasonably possible that an immaterial misstatement would not be prevented or
detected and corrected on a timely basis.
LO 5-5
5.48 When evaluating an internal control deficiency as part of a financial statement audit, the
primary difference between a significant deficiency and a material weakness depends on
a. Whether there is a reasonable possibility that the company’s internal control system will
fail to prevent or detect and correct a misstatement of an account balance or disclosure.
b. Whether a misstatement has actually occurred as a result of the deficiency or the
deficiencies.
c. The magnitude of the potential misstatement resulting from the deficiency or the
deficiencies.
d. All of these are correct.
LO 5-1
5.49 Which of the following is an example of a limitation of an internal control system?
a. Collusion among employees.
b. Human error.
c. Management override of controls.
d. None of these items are limitations.
e. All of the above are limitations.
LO 5-2
5.50 Both management and auditors have responsibilities related to the audit client’s internal
control system. What is an example of management’s responsibility related to internal control system?
a. Management must assess financial reporting risk.
b. Management must establish an appropriate control environment.
c. Management must ensure the security of the company’s assets, including data.
d. Only b and c are the responsibility of management.
e. All of these are the responsibility of management.
LO 5-2
5.51 When considering auditor’s responsibilities for the client’s internal control system, much
depends on whether the audit team believes it can rely on the client’s internal control system
in order to modify substantive testing on the financial statement audit. If the audit team is
able to rely on the internal control system, which impact on substantive testing would you
expect to see
a. An increase in sample size from 60 to 90 selections.
b. The use of a more effective substantive testing procedure.
c. The timing of the substantive testing might occur at the interim testing date.
d. No impact on substantive testing would be expected.
210 Part Two The Financial Statement Audit
LO 5-4
5.52 Which of the following methods would be the most effective technique for an auditor to
perform when testing the operating effectiveness of an internal control activity?
a. Inquiry of appropriate personnel.
b. Reading over the company’s code of conduct.
c. Reperformance of the control activity.
d. Examination of appropriate documents for proper signatures.
LO 5-3
5.53 Which of the following items is not one of the five components of an internal control system, according to the COSO framework?
a. Control environment.
b. Risk assessment.
c. Information and communication.
d. Control activities.
e. Completeness and accuracy.
LO 5-3
5.54 Which of the following controls is not an example of a monitoring control that is used to
fulfill the monitoring component of the COSO framework?
a. Audit committee inquiries of internal and external auditors.
b. Three-Way match of purchase order, receiving report and vendor invoice.
c. Supervisory review of controls, such as reconciliation reviews as a normal part of processing.
d. Periodic evaluation of controls by the internal audit department.
Exercises and
Problems
LO 5-4
All applicable Exercises and Problems are available
with Connect.
5.55
Internal Control Audit Standards. Auditors are required to obtain a sufficient understanding of each component of a client’s internal control. This understanding is used to
assess control risk and plan the audit of the client’s financial statements.
Required:
a. For what purposes should an auditor’s understanding of the internal control components
be used in planning an audit?
b. What is required for an audit team to assess control risk below the maximum level?
c. What should an audit team consider when seeking to reduce the planned assessed level of
control risk below the maximum?
d. What are the documentation requirements concerning a client’s internal control components and the assessed level of control risk?
(AICPA adapted)
LO 5-3
5.56 Separation of Duties. Your small business client, Phillip’s Computer Repair Shop, is experiencing financial difficulties and has to lay off one of its four employees in the accounting
area. Phillip has asked you to determine what duties should be assigned to the three remaining employees—Abigail, Bryan, and Chris—to maintain the best separation of duties.
Required:
Assign the following 10 duties to each of the three employees.
a. Reconcile bank statement.
b. Open mail and list checks.
c. Prepare checks for Phillip’s signature.
d. Prepare payroll checks.
e. Maintain personnel records.
f. Prepare deposit and take to bank.
g. Maintain petty cash.
h. Maintain accounts receivable records.
i. Maintain general ledger.
j. Reconcile accounts receivable records to general ledger account.
Chapter 5 Risk Assessment: Internal Control Evaluation 211
LO 5-4
5.57 Types of Audit Tests. Indicate whether each of the following audit procedures is primarily
a test of controls or a substantive test. Please note that many of these tests could be used as
a dual-purpose test. However, for purposes of this exercise, please indicate whether it would
primarily be used as a test of controls or substantive test. Next, indicate the financial statement assertion most closely related to each audit procedure.
Required:
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
LO 5-4
Vouch recorded sales invoices to supporting shipping documents.
Inspect recorded sales invoices for credit approval.
Vouch recorded sales invoices prices to the approved price list.
Send confirmations to all customers regarding accounts receivable.
Recalculate the arithmetic accuracy of the recorded sales invoices.
Compare the shipment date of recorded sales invoices with the invoice record date.
Trace recorded sales invoices to posting in the general ledger control account and in the
correct customer’s account.
Select a sample of shipping documents from the shipping department file and trace shipments to recorded sales invoices.
Scan recorded sales invoices and shipping documents for missing numbers in sequence.
Vouch sales invoices and shipping documents.
Evaluate the adequacy of the allowance for doubtful accounts.
Obtain financial statements or credit reports on large past due accounts and inquire of the
credit manager about collections.
Calculate an estimate of the allowance for doubtful accounts using prior relations of
write-offs and sales.
5.58 Internal Control Questionnaire Items: Assertions, Tests of Controls, and Possible
Errors or Frauds. The following is a selection of items from the internal control questionnaire on a payroll system in Exhibit 5.10.
1. Are names of terminated employees reported in writing to the payroll department?
2. Are authorizations for deductions signed by the employees on file?
3. Is there a timekeeping department (function) independent of the payroll department?
4. Are timekeeping and cost accounting records (such as hours, dollars) reconciled with
payroll department calculations of hours and wages?
Required:
For each of the four preceding questions
a. Identify the assertion to which the question applies.
b. Specify one test of controls an auditor could use to determine whether the control was
operating effectively.
c. Provide an example of an error or fraud that could occur if the control were absent or
ineffective.
d. Identify a substantive auditing procedure that could detect errors or frauds that could
result from the absence or ineffectiveness of the control items.
LO 5-4
5.59 Obtaining a “Sufficient” Understanding of Internal Control. The 12 partners of a
regional public accounting firm met in special session to discuss audit engagement efficiency. Jones spoke up, saying, “We all certainly appreciate the firmwide policies set up
by Martin and Smith, especially in connection with the audits of the large clients that have
come our way recently. Their experience with a large public accounting firm has helped
build our practice. But I think the standard policy of conducting tests of internal control
on all audits is raising our costs too much. We can’t charge our smaller clients fees for all
of the time the staff spends on this work. I would like to propose that we give engagement
partners discretion to decide whether to do a lot of work on assessing control risk. I may
be old-fashioned, but I think I can finish a competent audit without it.” Discussion on the
subject continued but ended when Martin said, with some emotion, “But we can’t disregard
generally accepted auditing standards like Jones proposes!”
Required:
What do you think of Jones’s proposal and Martin’s view of the issue? Discuss.
212 Part Two The Financial Statement Audit
LO 5-4
5.60 Fraud Opportunities. Simon Blank Construction Company has two divisions. The president
(Chris Simon) manages the roofing division. Simon delegated authority and responsibility
for management of the modular manufacturing division to John Gault. The company has
a competent accounting staff and a full-time internal auditor. Unlike Simon’s procedures,
however, Gault and his secretary handle all bids for manufacturing jobs, purchase all materials
without competitive bids, control the physical inventory of materials, contract for shipping
by truck, supervise the construction activity, bill the customer when the job is finished,
approve all bid changes, and collect the payment from the customer. With Simon’s tacit
approval, Gault has asked the internal auditor not to interfere with his busy schedule.
Required:
Discuss this situation in terms of internal control and identify frauds that could occur.
LO 5-4
5.61 Internal Control Questionnaire Items: Errors That Could Occur from Control
Weaknesses. Refer to the internal control questionnaire on a payroll system (Exhibit 5.10).
a. Assume that the answer to each question is no. Prepare a table matching the questions
to errors or frauds that could occur because of the absence of the control. Your column
headings should be
Question
Possible Error or Fraud
Due to Weakness
b. Which controls are preventive controls and which are detective?
LO 5-3
5.62 Role of a Board of Directors in Internal Control. Assume that the local newspaper just
ran the following headline and article: “Audit Results: Airport executives from Kentucky
racked up $500K in lavish expenses, concert tickets, and even gentlemen’s club tabs”
LEXINGTON, Ky. (AP)—A small commercial airport in Kentucky—and the taxpayers who
support it—picked up top executives’ tabs in recent years for Hannah Montana concert tickets,
Nintendo Wii video game bundles and even a $4,400 gentlemen’s club check, according to a
state auditor’s report.
The report released Wednesday outlines indulgences ranging from pricey electronics and
exercise equipment to lavish meals and champagne. In three years, officials tallied more than
$500,000 in questionable personal expenses. [Author’s note: General fund expenses were
approximately $10,000,000 annually.]
Kentucky Auditor Crit Luallen said the former executive director at Lexington’s Blue
Grass Airport created a culture of wasteful spending so vast, employees sometimes were paid
twice for the same expense and used airport credit cards as if they were personal checkbooks.
“I don’t think we have ever seen an audit where so many different individuals involved in
the management of a public agency abused the trust with such arrogance and lack of ethical
standards,” she said.
Luallen says she has forwarded the case to the Kentucky attorney general, the U.S. attorney’s
office, and the FBI.
Although the audit only covered the past three years, it does refer to one of the more glaring
examples reported by the Herald-Leader: a $4,400 charge Michael Gobb and two other directors
incurred at a Dallas strip club in 2004.
The charge, which appeared on the credit card statement of the airport’s director of planning,
was listed as going to Millennium Restaurant. The word “marketing” was handwritten next
to the amount. The Associated Press obtained that receipt and others through an open records
request.
The audit found that airport employees also used the coffers for tuxedos and other expensive
clothing; more than 400 DVDs—many of them currently missing—for the internal airport library;
$14,000 in holiday hams given out as gifts; and $7,400 for a NASCAR driving experience excursion
for staff described as “team building.”
More than 92 percent of the things Gobb charged to his airport card lacked proper
documentation, Luallen said.
While Luallen acknowledged that Gobb was responsible for the free-spending culture, she
said the board and its public accounting firm should have supervised the airport more closely.*
Source: Reprinted with permission from the February 26, 2009, online edition of the Daily Report 2009 (ALM Media
Properties, LLC). All Rights reserved.
Chapter 5 Risk Assessment: Internal Control Evaluation 213
Required:
a. Discuss the role of the board of directors in monitoring the behavior of a chief executive officer.
b. If the chief executive officer has subordinates incur expenses that he or she approves,
how can the board prevent abuse?
c. Should external auditors be expected to detect abuses such as these?
d. How should the use of credit cards be controlled?
LO 5-4
5.63 Authorization of Credit Tests of Controls — Using IDEA For this exercise, your client, Bright IDEAs Inc., has provided you with data for two related files, a listing of sales
invoices, and a listing of customers with credit limits. To test whether credit authorization
controls are in place, the auditor must complete a series of related steps:
1. Import the client’s database of sales invoices.
2. Summarize the Accounts Receivable balance by customer.
3. Import the client’s customer credit limit data into IDEA.
4. Join the Accounts Receivable balances by customer with the credit limit data.
5. Extract customers with exceeded credit limits.
Required Data and IDEA workbook page references for current version available on Connect
Required:
Complete the preceding steps and answer the following questions:
a. How many customers were granted credit with no indication that they had any credit
limit assigned to them?
b. How many customers exceeded their credit limit?
c. What effects would the findings in parts (a) and (b) have on the auditor’s assessment of
the risk of material misstatement? What accounts and assertions are most likely influenced by these findings?
LO 5-4
5.64 Identifying Payments to Unauthorized Suppliers — Using IDEA For this exercise, your
client, Bright IDEAs Inc., has provided you with data for two related files: an accounts payable history file and a supplier master file. To test the authorization of purchases to only
legitimate suppliers, the auditor must complete a series of related steps:
∙ Import the client’s database of accounts payable.
∙ Import the client’s authorized supplier list.
∙ Merge the accounts payable and supplier databases.
∙ Identify payments to unauthorized suppliers.
Required Data and IDEA workbook page references for current version available on Connect
Required:
Complete the preceding steps and answer the following questions:
∙ How many different unauthorized suppliers were paid during the year?
∙ What was the total dollar amount of the payments to unauthorized suppliers?
∙ What effects would the findings in parts (a) and (b) have on the auditor’s assessment of
the risk of material misstatement? What accounts and assertions are most likely influenced by these findings?
Apollo Shoes
Internal Control Testing
You are a recently promoted senior (in charge) auditor for Anderson, Olds, and Watershed and have been assigned to the engagement team of a new audit client, Apollo Shoes
Inc. You have been asked to perform certain procedures related to the internal control
system for Apollo Shoes. A detailed audit program for performing the procedures related
to the internal control system, as well as working papers and supporting documentation,
can be found on Connect.
Appendix 5A
Audit Plan
DUNDER-MIFFLIN INC.
Audit Plan for Tests of Controls in the Payroll Cycle 12/31/23
Performed By
1. Observe the separation of duties between the personnel, timekeeping,
and payroll departments.
2. Select a sample of payments from the payroll distribution for the year.
a. Vouch labor costs to labor reports.
b. Vouch labor reports to time tickets or computerized listing.
c. Examine documentary evidence of supervisor review of labor costs.
d. Examine documentary evidence of supervisor approval.
3. Account for numerical sequence of selected job cost tickets and
paychecks. Trace a sample of employees in the personnel file to payroll
department files and the payroll register.
4. Examine documentary evidence of budget comparison.
5. Reconcile the payroll account distribution report and the job cost sheets.
6. Examine supervisor’s signature on payroll reports. Note evidence of
comparison to budget.
Ref.
CHAPTER 6
Employee Fraud and
the Audit of Cash
Rather fail with honor than succeed by fraud.
Sophocles, Greek playwright and scholar (496–406 BC)
Professional Standards References
AU-C/ISA
Section
AS
Reference
Consideration of Fraud in a Financial Statement Audit
240
2401
Consideration of Laws and Regulations
250
2405
Audit Planning
300
2101
Consideration of Internal Control in an Integrated Audit
265
2201
Identifying and Assessing the Risks of Material Misstatement
315
2110
Auditors’ Responses to Risks of Material Misstatement
330
2301
Audit Considerations Relating to an Entity Using a Service Organization
402
2601
Audit Evidence
500
1105
External Confirmations
505
2310
Using the Work of an Audit Specialist
620
1210
Topic
LEARNING OBJECTIVES
In Chapter 5, we emphasized the important role of
the internal control system in helping to ensure that
the financial statement information being presented
by an organization is credible and can be relied upon.
Beyond its critical nature in the production of reliable
financial statement information, the establishment of
an internal control system is also important to help
protect an organization’s assets from being stolen. In
this chapter, we focus on the auditor’s role in helping
clients prevent and/or detect the misappropriation (or
theft) of assets in their organization.
Recall that in Chapter 4 we focused on the
auditor’s responsibilities related to fraudulent
financial reporting, that is when an organization
intentionally issues false or misleading financial
statements to the investing marketplace. The
professional standards make clear that auditors are
also responsible for considering the possibility of
misstatements that arise from the misappropriation
of assets, otherwise known as employee theft. As
a result, this chapter begins with a comprehensive
discussion of this type of fraud.
Next, because cash is often the primary target of
employee theft, the chapter logically transitions to a
discussion of how the cash balance is audited. This
discussion includes a description of the most common
relevant financial statement assertions, along with
a focus on the control and substantive testing
215
216 Part Two The Financial Statement Audit
procedures that are typically performed during the
audit of cash balances. Importantly, our discussion
of controls includes specific examples of additional
internal control activities that can be put in place to
help prevent or detect employee theft, also known
as a misappropriation of assets fraud.
LO 6-4
Identify the relevant assertions and risks
of material misstatement that are typically
related to the cash balance.
LO 6-5
Identify important internal control activities
present in a properly designed system to
mitigate the risk of material misstatements for
each relevant assertion related to cash and to
help prevent or detect employee fraud.
LO 6-6
Give examples of substantive procedures
used to test cash and relate them to the
relevant assertions.
LO 6-7
Describe some extended procedures for
detecting employee fraud schemes involving cash.
Your objectives are to be able to:
LO 6-1
Define and explain the differences among
several kinds of employee frauds that might
occur at an audit client.
LO 6-2
Identify and explain the three conditions
(i.e., the fraud triangle) that often exist
when a fraud occurs.
LO 6-3
Describe techniques that can be used to
prevent employee fraud.
INTRODUCTION
LO 6-1
Define and explain the
differences among several
kinds of employee frauds
that might occur at an audit
client.
Rita Crundwell served as Comptroller and Treasurer of the city of Dixon, Illinois, for
nearly three decades. Outside of work, she was a respected and well-known breeder of
quarter horses. In fact, her horses won 52 world championships and she was honored
as the leading owner by the American Quarter Horse Association for eight consecutive
years. Ms. Crundwell was also highly respected at work, and she was regularly praised
for her stewardship of taxpayer dollars. However, behind the scenes, Rita Crundwell
was building her horse empire using taxpayer dollars! Using a secret bank account, she
created false invoices and wrote checks payable to the harmless-sounding “Treasurer,”
which she deposited into an official-sounding account that was, in reality, her own.
For nearly two decades, her scheme remained undetected, and by the time it was discovered in 2012, Rita Crundwell had stolen over $53 million from the city of Dixon. The
fraud is considered to be the largest municipal fraud in American history, and became the
subject of an award-winning 2017 film, All the Queen’s Horses. Following her arrest, a
fraud examination discovered the extent of the theft, and Ms. Crundwell was sentenced
to a long jail term. However, she was released to home confinement in 2021 following
8 1/2 years in prison.1
Fraud examinations can be very exciting for auditors. A fraud examination has the
aura of detective work—finding things that people want to keep hidden. However, such
examinations are not easy and are not activities to be pursued without special training,
experience, and care. While Module D presents a more detailed discussion of fraud
examinations, this chapter presents a general introduction to the theory and definitions
related specifically to misappropriation of assets-type fraud. In addition, you will learn
how auditors evaluate the design and operating effectiveness of internal controls that are
designed to mitigate the risk of this type of employee fraud. Importantly, because cash
is often the primary target of fraudsters in these schemes, we illustrate internal controls
as they relate to cash. Next, we present a discussion of the audit of the cash account on
the balance sheet, with specific examples of internal control activities and related control
tests and substantive audit procedures.
1
“Former Dixon, IL Comptroller, Rita Crundwell, Sentenced to 19 1/2 years in Prison,” Forbes, February 3, 2013.; “Rita Crundwell,
who embezzled nearly $54 million from Dixon, released from federal prison,” Chicago Sun-Times, August 5, 2021.
Chapter 6 Employee Fraud and the Audit of Cash 217
The Need for Skepticism in Audits of Cash
It is essential that auditors maintain their professional skepticism at all times throughout
the engagement. In fact, professional standards require that when auditors brainstorm
about the potential for all types of fraud in an engagement, the activity should “occur
with an attitude that includes a questioning mind, and the key engagement team members
should set aside any prior beliefs they might have that management is honest and has integrity.”2 Why is it so important that auditors maintain such a high degree of skepticism?
Because a fraud is often committed by a person that an auditor least expects. Consider a
Little League coach ripping off the league to buy expensive jewelry by using a routing
number from a league payroll check.3 Or consider an executive assistant at a large public
accounting firm who wrote more than $1 million in checks to herself that were drawn on
a client’s bank account.4 You just never know from where the next fraud might originate,
as discussed in the following Auditing Insight!
AUDITING INSIGHT
Let’s Go for a Hike on the Appalachian Trail . . .
for Life
This is exactly the plan that was put into action by James Hammes after
stealing $8.7 million from his employer, a Pepsi-Cola bottler based in
Ohio. Amazingly, his plan almost worked as he eluded capture by hiking and then living on the Appalachian Trail using an assumed name.
Hammes committed the crime while working as a controller at the
company from 1998 to 2009. Because he had access to both the cash
and the accounting records, he was able to divert company cash into a
personal bank account and then cover up his crime by manipulating the
accounting records. When the FBI started to ask him questions about the
missing cash, Hammes decided to take a hike. Eventually, another hiker
became aware of his story and tipped off the authorities. Hammes was
sentenced to eight years in prison and must repay the money stolen.
Source: “Accountant Who Hid on Appalachian Trail Jailed for Embezzling Millions from Pepsi Bottler,” Accounting Today, June 23, 2016.
Not surprisingly, whenever a fraud risk exists, the professional standards require that
auditors gain an understanding of the internal controls that are in place to mitigate the
assessed fraud risk. At a minimum, auditors are required to document that understanding
in the audit documentation. In fact, auditors are also likely to evaluate the design, implementation, and operating effectiveness of identified internal control activities related to
fraud risks that exist. Importantly, an entity’s internal control cannot thwart or detect
all fraud schemes. Inherent limitations in internal control (such as collusion among employees)
prevent complete assurance that every fraud scheme will be detected before a loss is
incurred. For this reason, the entity’s auditors, accountants, and security personnel must
be acquainted with the basics of fraud awareness. Although the professional auditing
standards concentrate on fraudulent financial reporting—the production of materially
false and misleading financial statements—the standards also require auditors to pay particular attention to employee fraud perpetrated against a client for several reasons. First,
it is possible that employee fraud can result in a material financial statement misstatement to the extent that a crime was covered up using the financial statements. Second,
employee fraud can be indicative of control deficiencies which can influence the auditor’s assessment of control risk. Finally, audit clients always want to know if they are
being robbed by their employees, regardless of the amount being stolen!
Employee Fraud Overview
Fraud consists of knowingly making material misrepresentations of fact with the intent
of inducing someone to believe the falsehood and act upon it and, thus, suffer a loss or
damage. This definition encompasses all ways by which people can lie, cheat, steal, and
2
PCAOB Auditing Standard No. 2110, “Identifying and Assessing Risks of Material Misstatement.”
“Little League Coach Accused of Fraud,” St. Petersburg Times, p. 3B, July 4, 2009.
4
“Aide Gets 2 Years in Fraud Case,” San Francisco Chronicle, p. D2, October 28, 2010.
3
Other Definitions Related to Fraud and Illegal Acts
Management fraud is an intentional deception that is orchestrated by
management and is designed to injure investors and creditors by providing materially misleading information.
Errors are unintentional misstatements or omissions of amounts or disclosures in financial statements.
Direct-effect illegal acts are violations of laws or government
regulations by the company, or its management or employees, that
produce direct and material effects on dollar amounts in financial
statements.
Embezzlement is a type of fraud that typically involves an employee
wrongfully stealing assets that were entrusted to his or her care, custody,
or control. In many situations, embezzlement is accompanied by false
accounting entries or lying to try to cover up the crime.
deceive other people. Employee fraud (often referred to as misappropriation of assets) is
the use of fraudulent means to take money or other property from an employer. It usually
involves falsifications of some kind—false documents, lying, exceeding authority, or violating an employer’s policies. Employee frauds generally consist of (1) the fraudulent act
itself, (2) the conversion of assets to the fraudster’s use (very easy if cash is involved), and
(3) the cover-up. Catching people in the fraudulent act is difficult to accomplish. The act of
conversion is equally difficult to observe because it typically takes place in secret away
from the entity’s offices (e.g., selling stolen inventory). By noticing signs and signals
of fraud and then following the trail of missing, mutilated, or false documents that are
part of the accounting records cover-up, alert auditors uncover many frauds. Being able
to notice red flags, oddities, and unusual events takes some experience, but this chapter
provides you with some ideas about where and when to look.
Employee Fraud Red Flags
Employee fraud can involve all types of employees from high-level executives to hourly
employees in the warehouse. Even partners in accounting firms can be responsible as
discussed in the next Auditing Insight. For most people, committing a fraudulent act is
stressful. Observation of changes in a person’s habits and lifestyle may reveal some red
flags.5 Fraudsters often exhibit these behaviors:
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
Experience sleeplessness.
Drink too much.
Take drugs.
Become irritable easily.
Can’t relax.
Get defensive, argumentative.
Can’t look people in the eye.
Sweat excessively.
Go to confession (e.g., priest, psychiatrist).
Find excuses and scapegoats for mistakes.
Work standing up.
Work alone.
Work late frequently.
Don’t take vacations.
5
Long lists of red flags can be found in G. J. Bologna and R. J. Lindquist, Fraud Auditing and Forensic Accounting (New York:
John Wiley & Sons, 1995), pp. 49–56; W. S. Albrecht et al., in R. K. Elliott and J. J. Willingham, Management Fraud: Detection and
Deterrence (New York: Petrocelli Books Inc., 1980), pp. 223–226; Statement on Auditing Standards No. 99 (New York: AICPA,
2002); Auditing for Fraud courses of the Association of Certified Fraud Examiners; and courses offered by other organizations
such as the AICPA and The Institute of Internal Auditors.
218
Chapter 6 Employee Fraud and the Audit of Cash 219
Personality red flags are difficult because (1) honest people often show them as well,
(2) they often are hidden from view, and (3) auditors are not in a good position to notice
these characteristics. Managers are in the best position to notice changes, especially when
a person varies his or her lifestyle or spends more money than his or her salary seems to
justify—for example, on homes, furniture, jewelry, clothes, boats, autos, vacations, and
the like. Therefore, it is imperative that the auditor make specific inquiries of management
regarding changes in an employee’s demeanor and lifestyle.
AUDITING INSIGHT
Are You Kidding Me?
In February 2013, investigators arrested Craig Haber, a partner in tax and
advisory services in the New York City office of Grant Thornton for stealing payments made by clients to the firm. Allegedly, his crimes began
in July 2004 and continued through July 2012. In total, he is alleged to
have stolen approximately $4 million from Grant Thornton. Apparently,
Haber provided instructions to his clients to send checks or wire transfers
directly to him in New York instead of sending the payments to Grant
Thornton’s headquarters in Chicago. He then took the checks and deposited them in a bank account that was opened “in the name of a sham
business that was very similar to Grant Thornton’s name.” Haber then
would transfer the funds from this account to his personal account.
Source: “Former Grant Thornton Partner Arrested for Stealing $4 Million in Client
Payments,” Accounting Today, February 7, 2013.
Characteristics of Fraudsters
White-collar criminals are not like typical bank robbers who are often described as
“young and dumb.” Bank robbers and other strong-arm criminals often make comical
mistakes such as writing their holdup note on the back of a probation identification card,
leaving the getaway car keys on the convenience store counter, using a zucchini as a
holdup weapon, going through a fast-food restaurant’s drive-through window backward,
and timing the holdup to get stuck in rush hour traffic. Then there’s the classic story
about the robber who ran into his own mother at the bank. (She turned him in!)
Burglars and robbers average about $400–$500 for each hit. Employee frauds often
range from $20,000 up to $500,000 or even millions if a computer is used. Yet employee
frauds are not usually the intricate, well-disguised ploys you find in espionage novels.
Who are these thieves wearing ties? What do they look like? Unfortunately, they look like
most everybody else, including you and me. A typical white-collar criminal
∙
∙
∙
∙
∙
∙
Has education beyond high school.
Is likely to be married.
Is a member of a church, mosque, or temple.
Ranges in age from teens to over 60.
Is socially conforming.
Has an employment tenure from 1 to 20 years (although the scale of the fraud typically
increases with tenure as the employee becomes more trusted).
∙ Has no arrest record.
∙ Usually acts alone (70 percent or more of incidents).
White-collar criminals do not make themselves obvious, although they may leave telltale
signs or red flags. Older individuals (usually over 50) who hold high executive positions,
have long tenure, and are respected and trusted employees have often gained the trust and
confidence of others and, therefore, are in a position to commit the largest frauds. After
all, these are the people who have access to the largest amounts of money and have the
power to give orders and override controls. When managers minimize the significance of a
weak or missing control by rationalizing that the employee involved is a “long-time trusted
employee,” most experienced auditors will actually escalate their level of fraud risk awareness. You should as well, as demonstrated by the following Auditing Insight.
220 Part Two The Financial Statement Audit
AUDITING INSIGHT
•
•
Trusted Employees?
A small business owner hired his best friend to work as his accountant.
The friend was given full, unlimited access to all aspects of the
business and was completely responsible for the accounting. Five
years later, the owner finally terminated the friend’s employment
because the business was not profitable. Upon taking over
the accounting responsibilities, the owner’s wife found that
cash receipts from customers were twice the amounts formerly
recorded by the accountant “friend.” An investigation revealed
that the friend had stolen $450,000 in cash sales receipts from the
business while the owner had never made more than $16,000 a
year. (The friend had even used the stolen money to make loans to
the owner to keep the business going!)
An electrical supply company employed only one bookkeeper. She
wrote the checks and reconciled the bank account. In the cash disbursements journal, she coded some checks as inventory, but she
wrote the checks to herself, using her own name. When the checks
•
were returned with the bank statement, she simply destroyed
them. Confronting continuous guilt over doing something she
knew was wrong, she contacted a lawyer and turned herself in
but not before she had stolen $416,000 over a five-year period.
Because of the lack of separation of duties and her trusted status
in the company, the fraud might have continued indefinitely (or at
least until she bankrupted the company).
Alex W. was a 47-year-old treasurer of a credit union. Over a sevenyear period, he stole $160,000 from it. He was a good husband and
father of six children, and he was a highly regarded credit union
official. His crime came as a stunning surprise to his associates. Why
did he do it? He owed significant amounts on his home, cars, college
for two children, two side investments, and five credit cards. His
monthly payments significantly exceeded his take-home pay.
Source: Association of Certified Fraud Examiners (ACFE), “Auditing for Fraud.”
REVIEW CHECKPOINTS
6.1 What are the defining characteristics of employee fraud? Embezzlement?
6.2 What does a fraud perpetrator look like? How does one act?
THE FRAUD TRIANGLE
LO 6-2
Identify and explain the
three conditions (i.e., the
fraud triangle) that often
exist when a fraud occurs.
The three conditions that are likely to be present when a fraud occurs (Exhibit 6.1) are
commonly referred to as the fraud triangle. The first condition (incentive/pressure) recognizes that an employee or manager of a company is likely to either have incentives in
place (e.g., bonus compensation) or be under significant pressure to meet specific estimates, forecasts, or expectations about net income. The second condition (opportunity)
recognizes that in order for a fraud to be perpetrated, there must either be a weakness in
the system of internal control or an ability to circumvent the system. Finally, the third
condition (attitude/rationalization) recognizes that for an employee or a manager of a
company to perpetrate a fraud, the individual must possess an “attitude” that allows her
or him to rationalize why he or she is knowingly committing a crime. Each of these conditions is now discussed.6
Incentive/Pressure
Incentive or pressure gives rise to a motive to commit fraud. A motive, in the fraud context, is essentially a reason for a person to take a fraudulent action that is believed to be
unshareable with friends and confidants. Psychotic motivation is relatively rare, but it
is characterized by the habitual criminal who steals simply for the sake of stealing. In
6
For further reference, see D. R. Cressey, “Management Fraud, Accounting Controls, and Criminological Theory,” pp. 117–147, and
Albrecht et al., “Auditor Involvement in the Detection of Fraud,” pp. 207–261, both in R. K. Elliott and J. J. Willingham, Management
Fraud: Detection and Deterrence (New York: Petrocelli Books Inc., 1980); J. K. Loebbecke, M. M. Eining, and J. J. Willingham,
“Auditors’ Experience with Material Irregularities: Frequency, Nature, and Detectability,” Auditing: A Journal of Practice and
Theory, Fall 1989, pp. 1–28.
Chapter 6 Employee Fraud and the Audit of Cash 221
EXHIBIT 6.1
Fraud Conditions
Incentive/
Pressure
Source: W. Hillison, D. Sinason,
and C. Pacini, “The Role of the
Internal Auditor in Implementing
SAS 82,” Corporate Controller,
July/August 1998, p. 20.
Opportunity
Attitude
Highest
Risk
general, egocentric motivations drive people to steal to achieve more personal prestige.
Ideological motivations are held by people who think their cause is morally superior and
they are justified in making someone else a victim. However, economic benefits are by far
the most common motivations in business frauds, as demonstrated in the four Auditing
Insights in this section.
AUDITING INSIGHT
Driven by a Rhyme!
Incentives for employees to commit fraud can come from many places.
In the case of Wells Fargo Employees, the source may have been as
simple as a rhyme. Over a four-year period, over 5,000 lower-wage
employees fraudulently opened over a million fake bank accounts and
credit cards to make their ‘cross-sell’ goals of eight new accounts to
existing customers. By opening these fake accounts, and sometimes
transferring money into them from the customers’ other accounts,
Wells Fargo earned huge amounts of fraudulent fees and employees
met their quotas. But why eight? According to the CEO in the 2010
Wells Fargo annual report, “I’m often asked why we set a cross-sell
goal of eight. The answer is, it rhymed with ‘great.’ Perhaps our new
cheer should be: ‘Let’s go again, for 10!’”
Source: “How Wells Fargo Encouraged Employees to Commit Fraud,”
The Conversation, October 6, 2016.
The economic motive is simply a need or desire for money, and at times it can be
intertwined with egocentric and ideological motivations. Ordinary, honest people can
experience circumstances in which they have a new or unexpected need for money. If the
need arises and the legitimate channels to raise the money are closed, fraud may become
an option for some individuals. Consider the following needs:
∙
∙
∙
∙
∙
∙
∙
Make a house payment.
Pay uninsured medical bills.
Pay gambling debts.
Pay for drugs and alcohol.
Pay alimony and child support.
Pay for high lifestyle (vacation homes, cars, boats).
Finance business or stock speculation losses.
AUDITING INSIGHT
Do You Prefer a Mortgage Payment or a
Luxury Vehicle?
Kirbyjon Caldwell, a Houston pastor known for advising Presidents
George W. Bush and Barack Obama, and Gregory Smith, a former
financial advisor previously banned by the Financial Industry Regulatory
Authority, defrauded 29 elderly investors of $3.4 million by selling
them old Chinese bonds that had been in default for over 75 years.
Caldwell used his portion of the funds to pay for his living
expenses, including his mortgage payment. Smith chose to purchase
luxury automobiles.
Caldwell continued to preach to his congregation while facing charges, and expressed remorse for his actions, including
repaying all the funds to the investors. Despite this, the pastor
was convicted of fraud in 2021 and has begun serving a six year
prison sentence.
Source: “Famed Pastor Defrauded $3.4M from Elderly Investors: SEC”,
NY Post, March 30, 2018; “Houston Megachurch Pastor Kirbyjon Caldwell
Sentenced to Prison for Investment Scheme”, ABC13 Houston, January 13, 2021.
222 Part Two The Financial Statement Audit
Opportunity
An opportunity is an open door that enables a would-be fraudster to violate some type
of trust. The violation may be a circumvention of existing internal control activities, or it
may be simply taking advantage of an absence or lapse of a control activity in an entity.
In general, the higher the position in an organization, the higher the degree of trust, the
more likely that controls can be overridden, and, hence, the greater the opportunity for
larger frauds. Here are some examples:
∙ Inventory is not counted on a regular basis, so inventory shortages and losses are not
known.
∙ Proper separation of duties related to cash receipts or payments is compromised
because of a termination or retirement.
∙ The vice president of finance has investment authority without review.
∙ Frequent emergency jobs leave a lot of excess material in a manufacturing plant just
lying around.
AUDITING INSIGHT
That’s a Lot of Lunches!
Two lunch ladies in New Canaan, CT, were charged with embezzling nearly $500,000 from two schools in the area. Over the
course of at least five years, the sisters devised a plan to steal cash
payments made by students because the controls over the cash
receipts were weaker than at other area schools. Their free lunches
were stopped when employees from nearby schools noticed the
financial inconsistencies between school lunch programs. Once a
point of sale system was put in place to track individual sales and
the amount of cash received, daily deposits increased to appropriate levels.
Source: “Lunch lady sisters accused of stealing nearly $500,000” NBC News,
August 14, 2018.
Attitude/Rationalization
Practically everyone, even the most violent criminal, knows the difference between right
and wrong. Unimpeachable integrity is the ability to act in accordance with the highest moral and ethical values at all times. Thus, it is the lapses in integrity that permit a
person’s incentives or pressures to motivate fraudulent action when the opportunity presents itself. But people normally do not make deliberate decisions to “lack integrity today
while I steal some money.” They find a way to describe (rationalize) the act in words that
make it acceptable for their self-image. Here are some of these rationalizations:
∙
∙
∙
∙
∙
∙
∙
I need it more than other people.
I am borrowing the money and will pay it back.
Nobody will get hurt.
The company is big enough to afford it.
A successful image is the name of the game.
Everybody is doing it.
I am underpaid, so this is due compensation.
AUDITING INSIGHT
Her Time Was Coming
The second in command and heir-apparent to the CEO of a company
apparently couldn’t wait her turn. It was discovered that she was forging the CEO’s signature on expense reimbursements. Initially, the
company attributed this to a lapse in judgment and a desire to get
reimbursed faster. However, an investigation quickly discovered that
she had received nearly $1.4 million in fraudulent reimbursement.
Included in this were many personal expenses reclassified as business
expenses, such as toys labeled as “meals while out of town.”
Source: “Skimming and Scamming: Detecting and Preventing Expense Reimbursement Fraud” Accounting Today, June 25, 2018.
Chapter 6 Employee Fraud and the Audit of Cash 223
REVIEW CHECKPOINTS
6.3
What are some pressures that can cause honest people to contemplate fraud? List some egocentric
and ideological pressures as well as economic ones.
6.4
What conditions provide opportunities for employee fraud?
6.5
Give some examples of rationalizations that people have used to excuse fraud. Can you imagine
using them?
6.6
Is capability required to commit a fraud? Is capability part of opportunity, or should it be considered
a separate element of fraud?
FRAUD PREVENTION
LO 6-3
Describe techniques that
can be used to prevent
employee fraud.
Building a good fraud prevention program is an extremely difficult task. Most day-to-day
business activities require some trust in the processes for which controls will never be
absolute. Further, in an electronic payment environment, lack of controls can quickly lead
to costly fraud from both inside and outside the organization. For example, if we entrust an
individual with authorization for cash expenditures, a stolen or shared password enables
anyone who acquires access to the employee’s account to obtain physical custody of the
asset. As a result, taking steps to “fraud proof” an organization is a tall order.
Accountants and auditors have often been exhorted to be the leaders in fraud prevention by employing their skills in designing “tight” control systems. This strategy is, at
best, a short-run solution to a large and pervasive problem. Business activity is built on
the trust that people at all levels will do their jobs properly. As a result, it is essential that
management establish a strong control environment. A strong control environment and
tone at the top can have a pervasive effect on the prevention of fraud at an entity because
it can impact all components of an organization’s internal control system. For example, a
CEO who always acts with ethics and integrity sends a strong message to all employees
that management is serious about internal controls and fraud prevention.
Beyond a strong control environment, management must be sensitive to the needs of
the business by instituting controls that will prevent or detect fraud without impeding
business activity. Control systems limit trust and, in the extreme, can strangle business
in bureaucracy. The challenge is to have useful controls and to avoid picky rules that are
“fun to beat.” Managers and employees must have freedom to do business, which may
mean giving them some freedom that can result in committing frauds. Effective long-run
prevention measures are complex and difficult, involving the elimination of the causes of
fraud by mitigating the effect of motive, opportunity, and lack of integrity.
Managing People and Pressures in the Workplace
From time to time, people experience financial and other pressures. The pressures cannot be eliminated, but forums and facilities for sharing such pressures can and have been
created by leading organizations. Some companies have “ethics officers” to serve this
purpose. Their job is to be available to talk over various ethical dilemmas faced in the
workplace and help employees identify legitimate responses. However, it is important to
remember that the ethics officers are not normally psychological counselors.
Many companies have anonymous hotlines for reporting ethical problems. Indeed,
companies that must comply with the Sarbanes–Oxley Act of 2002 are required to maintain an anonymous employee hotline. Usually, the best kind of hotline arrangement is to
have the responding party be a third-party agency outside the organization. In the United
States, some external providers are in the business of being the recipients of hotline calls
and coordinating their activities with the audit committee or the internal audit department
of the various organizations to whom they provide this service.
224 Part Two The Financial Statement Audit
Another method of long-term fraud prevention, however, lies in the treatment of
people within an organization. Managers and supervisors at all levels can exhibit a
genuine concern for the personal and professional needs of their subordinates and fellow managers, and subordinates can show the same concern for each other and their
managers. Many companies facilitate this caring attitude with an organized employee
assistance program. They offer a range of counseling referral services dealing with substance abuse, mental health issues, family problems, crisis help, legal matters, health
education, retirement, career paths, job loss troubles, and family financial planning.
These program types are not guaranteed to prevent fraud, but they can have a positive
impact for an organization.
When external auditors are engaged in the audit of an entity’s financial statements,
they must obtain an understanding of and evaluate the control environment. In so doing,
the audit team should consider how management addresses these types of employee
issues. Using devices such as those discussed here can enhance an entity’s control environment and represents the start of an effective internal control system.
Internal Control Activities and Employee Monitoring
As discussed in Chapter 5, internal control activities may include job descriptions and
performance specifications that help people know the specific tasks they are supposed
to accomplish. An entity whose only control is “trustworthy employees” has no control.7
The possibility of being detected by a control activity can be an effective deterrent to a
potential fraudster. Stated simply, control activities often take away the opportunity for a
fraudster to commit a fraud.
As previously discussed, concealment of the crime is a distinguishing attribute of a
fraud. Often, the audit team’s first indication of a fraud is the identification of a control
violation. Cover-up attempts generally appear in the accounting records. The key for an
auditor is to be aware of and notice exceptions and oddities such as the following:
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
∙
7
Transactions recorded at unusual times of the day, month, or year.
An unusual (either large or small) number or dollar amount of transactions.
Transactions for “round” dollar amounts (e.g., $50,000).
Transactions associated with unusual branches or locations of a multilocation entity.
Cash shortages and overages.
Excessive voids and credit memos.
General ledgers that do not balance.
An increase in past due receivables.
Inventory shortages.
Unexplained adjustments to inventory or accounts receivable balances, especially without
adequate supporting documentation.
Increased scrap or waste in a manufacturing plant.
Alterations on official documents.
Duplicate payments made to the same vendor.
Employees who cannot be identified.
Use of copies instead of originals for supporting documentation.
Missing documentation to support transactions.
Unusual endorsements on checks.
Unusual patterns in deposits in transit.
Common names or addresses for refunds.
Consistent customer complaints about account balances or missing shipments.
W.S. Albrecht, “How CPAs Can Help Clients Prevent Employee Fraud,” Journal of Accountancy, December 1988, pp. 110–114.
Chapter 6 Employee Fraud and the Audit of Cash 225
As noted previously in Chapter 5, an important feature of an effective internal control
system is the separation of duties and responsibilities for (1) transaction authorization,
(2) record keeping, (3) custody of or access to assets, and (4) reconciliation of actual
assets to the accounting records. In general, a person acting alone or in a conspiracy who
can perform two or more of these functions can commit a fraud by taking assets, converting them, and then covering up the crime. Proper separation of duties and responsibilities
can prevent such fraudulent actions. For example, as it relates to cash disbursements,
effective internal control begins with different people and different departments handling
the cash disbursement authorization; custody of blank documents (checks); record keeping for payments; and bank reconciliation. Auditing with fraud awareness often involves
the combination of observing client control activities that were put in place and trying to
“think like a crook” and imagine ways that theft could occur. When controls are missing,
the ways and means for theft may be obvious. Otherwise, it might take significant planning and collusion to figure out how to steal from an employer. An auditor often tries to
assess fraud risk by considering the factors in the following Auditing Insight.
AUDITING INSIGHT
When Assessing Fraud Risk, Answer These
Questions
According to fraud experts Joseph Wells and John Gill of the
Association of Certified Fraud Examiners, when assessing fraud risk,
answering a set of 15 questions is a good starting point for sizing
up a company’s vulnerability to fraud and creating an action plan for
lessening the risks. Their key questions are
1. Is the company dominated by one or two key employees?
2. Do any key employees appear to have a close association with
vendors?
3. Do any key employees have outside business interests that might
conflict with their job duties?
4. Does the organization conduct pre-employment background
checks to identify previous dishonest or unethical behavior?
5. Does the organization educate employees about the importance
of ethics and antifraud programs?
6. Does the organization have antifraud policies and provide an
anonymous way to report suspected violations of ethics?
7. Is job or assignment rotation mandatory for employees who handle cash receipts and accounting duties?
8. Has the company established positive pay controls with its bank
by supplying the bank with a daily list of checks issued and authorized for payment?
9. Are refunds, voids, and discounts evaluated on a routine basis
to identify patterns of activity among employees, departments,
shifts, or merchandise?
10. Are purchasing and receiving functions separate from invoice processing, accounts payable, and general ledger functions?
11. Is the employee payroll list periodically reviewed for duplicate or
missing Social Security numbers?
12. Are there policies and procedures that address the identification,
classification, and handling of proprietary information?
13. Do employees who have access to proprietary information sign
nondisclosure agreements?
14. Is there a company policy that addresses the receipt of gifts, discounts, and services offered by a supplier or customer?
15. Are the organization’s financial goals and objectives realistic?
Source: Joseph T. Wells and John D. Gill, “Assessing Fraud Risk,” Journal of
Accountancy, October 2007, pp. 63–65.
When collecting corroborating evidence to support the financial statements, the audit
team must remain vigilant against the potential for fraud. Discrepancies in the accounting
records, conflicting evidence, and missing documentation are all symptomatic of financial statement fraud. When the audit team identifies such instances, members must follow
up with management to identify the source of the problems. Management’s response is
a key source of evidence; vague, implausible, or inconsistent responses to inquiries can
be a key indicator of the pervasiveness of the fraud. Similarly, problematic or unusual
relationships between the audit team and management are often present in financial statement frauds.
Module D presents a comprehensive discussion of fraud examinations and how they
differ from financial statement audits. However, an example to illustrate the difference
226 Part Two The Financial Statement Audit
between the engagements relates to evidence. The collection of evidence in a fraud
examination (which can lead to prosecution and court scrutiny) is fundamentally different from the collection of evidence to support the auditor’s opinion. If the auditors do
come across questionable documents or any other evidence that may indicate fraud, they
should immediately work to preserve the chain of custody of evidence. The chain of custody is the crucial link of the evidence to the criminal suspect that bears directly on the
relevance of evidence often referred to by attorneys and judges. If documents are lost,
mutilated, coffee stained, or otherwise compromised (so a defense attorney can argue
that they were altered to frame the suspect), they lose their effectiveness for the prosecution. When completing a fraud examination, auditors should learn to mark the evidence,
writing an identification of the location, condition, date, time, and circumstances as
soon as it appears to be a signal of fraud. This marking should be on a separate tag or
page; the original document should be put in a protective (plastic) envelope for preservation and locked away for protection. Then audit work should proceed with copies of
the documents instead of originals. A record should be made of the safekeeping and of
all persons who use the original. Any eyewitness observations should be recorded in a
timely manner in a memorandum or on tape (audio or video) with corroboration of colleagues, if possible.
Similarly, an auditor may be involved in collecting evidence that is found in computers
or stored in a digital manner. This type of computer forensic work must be completed with
great care, and the goal is to examine the evidence in a manner that would be appropriate
in reaching the goal of “identifying, preserving, recovering, analyzing, and presenting
facts and opinions about the information.” Generally, the evidence that is gathered from a
computer forensic investigation is subject to the same rules of evidence as manual data in
the eyes of law enforcement. This brief example underscores the importance of an auditor
being properly trained to conduct a fraud examination.
Tone at the Top
Establishing the right tone at the top is an essential step toward building a strong fraud
prevention program. This tone is established by upper management, in large part, to demonstrate a commitment to integrity and high ethical standards in the completion of all
activities throughout the organization. The upper management team is responsible for
setting the tone at the top. To send the right message from the top, many organizations
publish codes of conduct for employees. Some of these codes are simple, and some are
very elaborate. Government agencies and defense contractors typically have the most
elaborate rules for employee conduct. Sometimes these codes are effective; sometimes
they are not. However, a code can be effective only if the control environment and tone
at the top support it. When the chairman of the board and the president make themselves
visible and living examples of the code of conduct, other people will then believe it is
real. Subordinates tend to follow the boss’s lead.
Hiring and termination policies are important. Background checks on prospective
employees are advisable and very good business practice. A new employee who has been
a fraudster in some other organization’s accounting department has a higher probability
of being a fraudster in a new organization. As a result, organizations have even been
known to hire private investigators to make background checks. Fraudsters should be
fired and, in most cases, prosecuted. Experience has shown that they have a low rate of
repeat offenses if they are prosecuted, but they have a high rate if not. Prosecution has the
added benefit of sending the message that management does not believe that fraudulent
activity is acceptable.
Unfortunately, the accompanying Auditing Insight, while incredibly disappointing, is
far more common than it should be. As a result, auditors must always be vigilant and
remain skeptical about the possibility of discovering employee fraud at their audit clients.
This is why we have just provided so much coverage of the topic to begin this chapter.
We now turn our attention to the account that is most frequently targeted by employee
thieves—cash.
Chapter 6 Employee Fraud and the Audit of Cash 227
AUDITING INSIGHT
Hope He Doesn’t Need Medical Care. . .
Ralph Puglisi embezzled at least $12.8 million over a six-year period
from the University Medial Services Association, which pays for the
operation of the University of South Florida’s medical system. The
association lacked appropriate segregation of duties, enabling Puglisi to use company credit cards, which he managed, to funnel the
money through accounts on an adult website. Puglisi would charge
large amounts on the site and pay a 40% fee to the recipients and
receive the difference. An investigation into the fraud began in 2021.
Puglisi was able to accomplish the fraud because he had full authority
to open up new credit card accounts, set the spending limits, and manage card access. This incident further demonstrates the importance of
segregating duties when cash is involved.
Source: “An Employee Embezzled $12.9 Million from a Medical School’s Non-profit.
He spent most of it at one adult site,” The Washington Post. August 17, 2021.
REVIEW CHECKPOINT
6.7
What are some red flags that may indicate a cover-up or concealment of a fraud?
6.8
Is there anything odd about these two situations? (a) A check to Larson Electric Supply was
endorsed with “Larson Electric” above the signature of “Eloise Garfunkle.” (b) Numerous electronic payments were made and dated December 25, January 1, and July 4.
THE AUDIT OF CASH
LO 6-4
Identify the relevant
assertions and risks of
material misstatement that
are typically related to the
cash balance.
This section of the chapter is focused on the procedures that are completed as part
of the financial statement audit for cash. However, our discussion of controls also
includes examples of internal control activities that are specifically put in place to
help prevent or detect employee fraud. In addition, because cash is relevant to each
of an audit client’s accounting cycles, we also discuss cash when describing the audits of
the different cycles in the following chapters. For example, the basic activities in the
revenue and collection cycle (Chapter 7) are (1) receiving and processing customer
orders, including credit granting; (2) delivering goods and services to customers;
(3) billing customers and accounting for accounts receivable; (4) collecting and
depositing cash received from customers; and (5) reconciling bank statements. The
basic acquisition and expenditure activities (Chapter 8) are (1) purchasing goods
and services and (2) paying the bills. Similarly, the production and conversion cycle
(Chapter 9) and the investing and financing cycle (Chapter 10) also feature the collection
or expenditure of cash.
Management Reports and Data Files in an Audit of Cash
There are a number of different management reports, documents, and data files that are
typically used by auditors when completing work on the cash account. These include
the cash receipts journal, the cash disbursements journal, bank reconciliations, canceled
checks, and bank statements.
Cash Receipts Journal
The cash receipts journal contains all of the detailed entries for all receipts of cash by the
entity (debits to the cash account), including cash deposits. It contains the population of
credit entries that should be reflected in the credits to accounts receivable for customer
payments. It also contains the adjusting and correcting entries that can result from the
bank account reconciliation. These entries are important because they may signal the
types of accounting errors or manipulations that occur in the cash receipts accounting.
228 Part Two The Financial Statement Audit
Cash Disbursements Journal
The cash disbursements journal is the company’s detailed record of entries for checks written and electronic payments made during the period being audited (cash disbursements).
Because all cash disbursements (other than those from a petty cash or payroll account)
should be made via check or electronic transfer, the cash disbursements journal contains
the cash credit entries that provide a population for testing cash disbursements. It also contains the adjusting and correcting entries that can result from the bank account reconciliation. These entries are important because they may signal the types of accounting errors
or manipulations that occur in the cash disbursements accounting. The cash disbursements
journal is usually inspected for suspect items such as checks made out to “cash” or “bearer”
or electronic payments made to unauthorized vendors. In addition, company procedures
should require that “voided” checks be retained and auditors should review these checks
to ensure they were in fact actually voided and have not been recorded in bank statements.
Bank Reconciliations
The company’s bank reconciliation is the primary document used to test the cash balance in the financial statements. The amount of cash in the bank is almost always different from the amount in the general ledger (financial statements), and the reconciliation
is designed to explain the difference between these two amounts. In addition, a bank
account reconciliation that compares the book cash balance to the bank cash balance provides management with an opportunity to monitor the separation of duties for cash receipts
and cash disbursements. The timely preparation of bank reconciliations is, therefore, an
important element of a company’s internal control activities over cash.
Detecting Fraudulent Checks
Exhibit 6.2 describes the information found on the front of a typical check. Although companies do not receive the actual check back, a scanned image obtained of the check front is
EXHIBIT 6.2 How to Read the Front of a Check
Chapter 6 Employee Fraud and the Audit of Cash 229
generally included with most bank statements and can be used to test for payees, amounts,
or dates that do not match the cash disbursements journal. Further, check fronts obtained
directly from a bank statement can be used to verify appropriate use of certain important
internal controls, such as dual signatures for expenditures greater than a certain amount. It is
important to understand characteristics of legitimate checks, not only for auditing purposes,
but also for protecting yourself from fraud. Fake check scams have increased over 65% since
2015 and targeted victims are often not the elderly, as with most scams, perhaps because the
elderly have more experience with checks. The recent target population—college students
and the 20-something population, as described in the next Auditing Insight.
AUDITING INSIGHT
Secret Shopper? More Like Secret Scammer
Mika Benkert thought she had taken on a new job as a secret shopper. To test the system for her job, she was given a check for $3,450
and asked to wire $1,000 each to three separate people and keep
the rest. Within days, the $3,450 check bounced and Mika was
out $3,000— money she counted on to pay her rent and buy food.
Unfortunately, Mika’s story is not unique. Over 27,000 victims were
reported in 2019 alone, and the number appears to be increasing
each year with an average loss of $2,000. Why do smart, educated
young victims fall for this so regularly? A likely explanation is lack of
familiarity with checks. With the emergence of Venmo, Apple Pay, and
other instant payment systems, younger victims expect that once they
see the money in their account, it is theirs. Most college students are
well aware of the risk of fraud with Apple Pay or Venmo. However,
checks are somewhat of a mystery for many. They can take weeks to
actually clear and represent valid cash, even after it shows up in your
account and the bank says it is cleared. The Federal Trade Commission warns that you should never wire or otherwise transfer money to
a stranger, including through gift cards. In addition, they recommend
ignoring any offers that ask you to pay for a prize, and never accept
a check for more than the selling price. If you ever suspect that you
have been approached or victimized by a scammer, report it to the
Federal Trade Commission, your state attorney general, or the U.S.
Postal Inspection Service.
Sources: “Millennials Targeted in New Scams Using Fake Checks,” NBC
Nightly News, February 7, 2020; “How to Spot, Avoid, and Report Fake Check
Scams,” Federal Trade Commission.
Historically, individuals engaging in fraudulent schemes involving cash often try to
conceal their crimes by removing canceled checks they made payable to themselves or
endorsed on the back with their own names. However, banks no longer return the canceled checks to their customers. Instead, copies of the front of the checks are included
with the bank statement, often received electronically. This information is sufficient for
reconciling an account, but it does not provide the information that may assist a company or auditor in detecting or investigating possible frauds. Other banks retain images of
checks (generally only the front) on their websites. Given the reduction in ability to detect
fraud through canceled check documentation, auditors, controllers, and CFOs should
strongly recommend that their client or company pay close attention to the information
that is available, and an increased emphasis on internal controls over checks is warranted.
Bank Statements
Most of the information shown on the bank statement in Exhibit 6.3 is self-explanatory.
However, auditors should not overlook the usefulness of some of the information: The number and dollar amount of deposits and checks can be compared to the detail data on the bank
statement; the account holder’s federal business identification number is on the statement,
and this can be used in other databases; and the statement itself can be studied for alterations.
REVIEW CHECKPOINTS
6.9
Since checks are not returned to clients, how can an auditor tell whether the amount on a check
was altered prior to payment by a bank?
6.10 Take a closer look at Exhibit 6.3. Is there anything wrong with the bank statement? What are some
ways to tell whether any of the amounts have been altered?
230 Part Two The Financial Statement Audit
EXHIBIT 6.3
Small Business Bank
Statement
Significant Accounts and Relevant Assertions
According to the professional standards, an account or disclosure is significant if there
is a reasonable chance that it could contain a material misstatement. The auditor identifies
significant accounts and relevant assertions by applying the audit risk model.
Chapter 4 introduced the audit risk model. As noted there, this model allows auditors
to reduce audit risk to desired levels. Audit risk is defined as the risk that auditors will
issue an unmodified opinion on financial statements that contain a material misstatement.
Audit risk is manifested when a material misstatement enters the financial reporting
process (inherent risk) that the client’s internal controls do not prevent or detect (control
risk) and that the auditors’ substantive procedures do not detect (detection risk). Recall
the basic three-step approach for using the audit risk model to plan an engagement:
1. Set audit risk at desired levels (normally, low).
Chapter 6 Employee Fraud and the Audit of Cash 231
2. Assess risk of material misstatement, which incorporates inherent risk based on the
nature of the account balance or class of significant transactions and control risk based
on gaining an understanding of internal control.
3. Determine detection risk at the significant account and assertion level based on the
level of audit risk and risk of material misstatement.
The components of the audit risk model are assessed for each significant account
and relevant assertion. This assessment recognizes that certain accounts and assertions
assume an increased level of importance and are of more interest to auditors than others.
For cash, existence is always a relevant assertion in the audit plan. Other assertions may
also be relevant, depending on the facts and circumstances of the engagement. For example, if an audit client has worldwide operations, valuation may be relevant because certain
cash balances may be denominated in foreign currencies, necessitating a translation
adjustment.
Once all of the significant accounts and disclosures have been identified, the auditor then needs to identify the relevant assertions. According to the professional standards, a financial statement assertion is relevant if it has a reasonable possibility of
containing a misstatement that would cause the financial statements to be materially
misstated. Exhibit 6.4 identifies the assertions that are typically most relevant for cash.
Although different companies may have other risks, in general the most significant
risks relate to the existence of cash and the presentation and disclosure of cash. As
previously stated, depending on the nature of the audit client’s operations, valuation
may also be a relevant assertion for cash. Although we will focus our discussion on these
assertions, other assertions may be relevant depending on the facts and circumstances at
the audit client.
Risk of Material Misstatement
As part of the planning process, the auditor must determine the source of a misstatement that could cause the financial statements to be materially misstated. One way
to assess the risk of material misstatement is to use the “what could go wrong?”
(WCGW) approach when thinking of each financial statement assertion. WCGW is
a part of each audit firm’s process and enables a thorough assessment of the risk of
material misstatement.
When considering WCGW for cash, auditors consider three primary concerns:
(1) Does the reported cash balance really exist? (2) Is the cash balance valued properly?
(3) Is the reported cash balance presented properly and have the appropriate disclosures
been made? Exhibit 6.5 summarizes the WCGW analysis for cash.
EXHIBIT 6.4
Significant Accounts
and Relevant
Assertions
Significant Account
Relevant Assertions
Cash
Existence
Valuation
Presentation and disclosure
EXHIBIT 6.5
What Could Go
Wrong?
Significant Account
Relevant Assertions
What Could Go Wrong?
Cash
Existence
The cash balance may not exist in the company’s
bank accounts.
Valuation
The cash balance that is held in foreign countries
may not have been translated properly.
Presentation and disclosure
There may be restrictions on the cash balance that
were not properly disclosed.
232 Part Two The Financial Statement Audit
LO 6-5
Identify important internal
control activities present in a
properly designed system to
mitigate the risk of material
misstatements for each
relevant assertion related to
cash and to help prevent or
detect employee fraud.
Evaluating the Design and Operating Effectiveness of Internal Controls
When evaluating the design of internal controls related to cash, an auditor must always
consider whether the controls have been designed to mitigate the risk of material misstatement for each relevant assertion identified for the cash balance. In addition, because
cash is so frequently a favorite target of employee thieves, controls over cash must be
unusually strong and include special considerations related to employee fraud. As a consequence, when evaluating the design of internal controls related to cash, an auditor must
also consider whether the controls have been designed to mitigate the risk of employee
fraud. Clearly, there is overlap between these two goals (i.e., mitigating the risk of material misstatement and preventing employee fraud), meaning that certain control activities
may help to achieve objectives at an audit client. However, to help improve your understanding of both objectives, we now consider these topics separately.
Internal Control Evaluation for Mitigating the Risk of Material Misstatement
Recall from the audit risk model that the auditor assesses inherent risk to determine where in the financial statements it is reasonably possible that a material misstatement could enter the process before the consideration of any internal controls.
However, risk of material misstatement is the combination of both inherent risk and
control risk.
Professional standards require auditors to first gain an understanding of the internal
controls that have been designed to mitigate the risk of material misstatement for each
relevant assertion identified by the auditor. In a well-designed system, the internal control
activity should be explicitly designed to be aligned with this relevant assertion that was
identified in a WCGW analysis.
In effect, the question an auditor should ask is, “Has the audit client designed and
implemented a control that, if operating effectively, would mitigate the identified risk of
material misstatement? Would it prevent or detect the material misstatement?” Importantly, we have already discussed how auditors would gain an understanding of the internal controls related to cash earlier in this chapter, including the control environment and
tone at the top. This discussion remains relevant when auditing the cash balance.
However, when auditing the cash balance, for each WCGW identified, the auditor
seeks to identify a control activity that has been placed in operation to mitigate the identified risk of material misstatement. For example, as shown in Exhibit 6.6, for the WCGW
scenario related to the existence of cash (i.e., the cash does not exist in the company’s
bank account), the auditor must consider what management can do to prevent this misstatement from entering the financial statements or from going undetected. One control
that the auditor would expect management to implement involves periodic reconciliation
of the bank balance to the book balance. If an employee regularly completes the reconciliation and a supervisor reviews the reconciliation, the control should mitigate the risk
that a material misstatement can proceed through the accounting system undetected.
In order to rely on the design of the client’s internal controls and support a reduction in
control risk, the auditor must determine if each identified control is operating as designed
and whether the person operating the control has the authority and competence to do so.
The auditor’s ultimate responsibility is to document enough support to conclude whether
the control activity was operating effectively to mitigate the risk of material misstatement
for the relevant assertion identified.
Auditors can perform tests of controls to determine whether company personnel are
properly performing controls that are said to be in place. In general, the procedures used in
tests of controls are inquiry, observation, inspection, and reperformance. Understand that if
a control is missing or ineffective, the risk of a material misstatement increases, but an
error or fraud may or may not exist. Thus, if controls are not in place or personnel in the
organization are not performing their control activities effectively, auditors need to design
substantive procedures to try to detect whether control failures have produced material
misstatements in the financial statements. Exhibit 6.6 includes a column that identifies
Chapter 6 Employee Fraud and the Audit of Cash 233
EXHIBIT 6.6
Tests of Internal
Control
Significant
Account
Relevant
Assertions
What Could Go
Wrong?
Internal Control
Activity
Cash
Existence
The cash balance
may not exist in the
company’s bank
accounts.
The CFO performs
a detailed review
of the bank
reconciliation on a
monthly basis.
For a sample of bank
reconciliations, reperform
the reconciliation. Trace
several reconciling items to
the appropriate supporting
documentation.
Valuation
The cash balance
that is held in foreign
countries may not
have been translated
properly.
The treasurer
reviews the
cash translation
adjustment
calculation monthly
and independently
checks that the
appropriate spot
rate has been used
for each foreign
currency.
Inspect the monthly cash
translation adjustment
calculation for evidence of
the treasurer’s review.
Presentation
and disclosure
There may be
restrictions on the
cash balance that
were not properly
disclosed.
The corporate
secretary reviews
the cash footnote
disclosure on a
quarterly basis
to ensure that all
legal restrictions on
the cash balance
have been properly
disclosed.
For a sample of cash
accounts, reperform
the work completed by
the corporate secretary
to ensure that all cash
restrictions have been
properly disclosed.
Tests of Internal Control
the type of test of controls that may be performed in order to support a reduction in control risk and ultimately a reduction in the amount of substantive testing.
Once the tests of control are completed, auditors must evaluate the body of evidence
related to internal controls. The initial process of obtaining an understanding of the company’s controls and the later process of obtaining evidence from actual tests of controls
are two of the phases of control risk assessment. If the control risk is assessed to be very
low, the substantive procedures on the account balances can be reduced, resulting in audit
efficiency. On the other hand, if tests of controls reveal weaknesses, the substantive procedures need to be designed to lower the risk of failing to detect material misstatement in
the account balances.
Internal Control Evaluation for Preventing or Detecting Employee Fraud
We now take a step back from the financial statement audit to consider how an organization can help to prevent or detect employee fraud with properly designed control activities. Recall that because cash is highly liquid, not easily identifiable as company property,
and portable, it tends to be a favorite target of employee thieves. Thus, controls over cash
must be unusually strong and include special considerations related to employee fraud.
In that spirit, it is essential that an audit client implement control activities for both cash
receipts and disbursements that are designed to help “fraud-proof” the organization. Of
course, many of the control activities that we are about to discuss are also designed to
help mitigate material misstatements in the financial statements. However, for now, focus
on the following control activities as they are designed to prevent the misappropriation
(or theft) of cash in an organization.
234 Part Two The Financial Statement Audit
Control Activities for Cash Receipts Cash can be received in several ways—over the counter, through the mail, and by electronic funds transfer. It can also be received in a lockbox
arrangement in which payments are remitted by customers to an external location (i.e.,
a lockbox). In a lockbox arrangement, a fiduciary (usually a bank) opens the box on a
daily basis, lists the receipts, deposits the money, and sends the remittance advices (stubs
showing the amount received from each customer) to the company. Refer to Exhibit 6.7
for some cash receipts processing procedures in a manual accounting setting.
In many situations, an individual employee initially receives cash and checks and thus
has custody of the physical cash for a short time. Because this initial custody cannot be
avoided, it is always a good control to (1) have two people open the mail containing customer
receipts, if possible, resulting in joint custody; (2) endorse the checks immediately after
removing them from the envelope; (3) prepare a list of the cash receipts as early in the
process as possible; and then (4) separate the actual cash from the record-keeping documents. The cash should be sent to the cashier or treasurer’s office where a bank deposit is
prepared and the money is sent to the bank daily and intact. (No money should be withheld from the deposit.) The list of remittance advices go to the accountants (controller’s
office), who record the cash receipts. (You have prepared a “remittance advice” each time
you write the amount enclosed on part of your credit card bill, tear it off, and enclose it
with your check.)
The accountants who record cash receipts and credits to customer accounts should
never handle the cash. They should use the remittance list or remittance advice to make
the entries to the cash and accounts receivable control accounts and to the customers’
EXHIBIT 6.7 Cash Receipts Processing
Treasurer’s Office
Marketing Department
(salesclerks)
Cashier
Controller’s Office
Cash Management
Operations Department
(mailroom)
START
Cash received
Accounts Receivable
2
Prepare cash
remittance
list.
C.R.L.
C.R.L.
2
Cash
1
Remittance
List
1
Approve
discounts.
Prepare
deposit.
3
1
Post
to customer
accounts.
Prepare cash
receipts journal.
Post to general
ledger.
Approval
of discounts noted
on remittance list.
Money
2
General Ledger
3
C.R.L.
Deposit Slip 2
Deposit Slip 1
All cash receipts
are deposited
intact, daily.
C.R.L.
3
Deposit Slip 2
Monthly Bank
Statement
Prepare
monthly
reconciliation.
To
bank
Cash
Receipts
Journal
Individual
Customer
Accounts
Subsidiary
Accounts
Receivable
Control
Cash
Accounts
2
Cash
Remittance
List
1
Cash
Remittance
List
Date
Date
Chapter 6 Employee Fraud and the Audit of Cash 235
accounts receivable subsidiary account records. A good internal control activity is to
have the control account and subsidiary account entries made by different people, and
later the accounts receivable entries and balances can be compared (reconciled) to determine whether they agree in total. Most computerized accounting programs post the customers’ accounts automatically by keying in the customer identification number, and the
computer program controls agreement.
At the end of the day, an independent employee should receive (1) a copy of the cash
remittance listing, (2) a report of payments recorded in accounts receivable, and (3) a
copy of the deposit slip from the bank. Commercial deposit slips have multiple copies.
The bank runs these copies through the teller machine, which imprints the time, date,
account, and amount on each copy. At least one copy is returned to the person making
the deposit, who returns the copy to the company as evidence that the deposit was made.
If the cash received during the day is maintained intact, the information on all three items
should match.
Take a close look at Exhibit 6.7. Suppose that the cashier who prepares the remittance list had stolen and converted Customer A’s checks to personal use. It might work
for a short time until Customer A complained that the entity had not credited the account
for payments. The cashier, of course, knows this. So, the cashier later puts Customer
B’s check in the bank deposit but shows Customer A on the remittance list; thus, the
accountants give Customer A credit. So far, so good for preventing Customer A’s complaint. But now Customer B needs to be covered. To detect this type of lapping scheme,
a detailed audit should include a comparison of the checks listed on a sample of deposit
slips (Customer B) to the detail of customer remittances recorded to customer accounts
(Customer A). Doing so is an attempt to find credits given to customers for whom no payments were received on the day in question.
AUDITING INSIGHT
Lapping Up the Rents
Holly Dalton used her business as a property manager in Colorado
Springs, CO, to steal nearly $100,000 from landlords and tenants. Dalton stole damage deposits and used a lapping scheme to steal rents.
She would embezzle rent checks for her own use and would apply
rent payments from other customers to the receivables to hide her
crime. Dalton was sentenced to four years probation and restitution,
but did not serve any jail time for her crimes.
Source: “Property Management in Colorado Springs Sentenced to Probation,”
KKTV News, January 9, 2018.
Employees outside the normal cash operations (recording and custody) should prepare bank account reconciliations on a timely basis. Deposit slips should be compared
to the details on cash remittance lists, and the total should be traced to the general ledger
accounts receivable entries. (This reconciliation would reveal whether money was withheld from the deposit.) This care is required to establish that all the receipts recorded in
the books were deposited and that credit was given to the right customer.
A common feature of cash management is to require that persons who handle cash be
insured under a fidelity bond, which is an insurance policy that covers most kinds of cash
embezzlement losses. Fidelity bonds do not prevent or detect embezzlement, but the failure to carry the insurance exposes the company to complete loss if embezzlement occurs.
Moreover, bonding companies often perform their own background checks of employees
before bonding them. Auditors often recommend fidelity bonding to small companies
that might not know about such coverage.
Tests of Controls over Cash Receipts The first step in testing the controls over both
cash receipts and cash disbursements (discussed later) is to gain an understanding of
the controls and document that understanding. Information about a company’s internal
236 Part Two The Financial Statement Audit
control activities can be gathered in different ways, which may include completing an
internal control questionnaire. A selection of this type of questionnaires for both manual
and entirely automated controls over cash receipts is found in Appendix 6A at the end
of this chapter. You can study these questionnaires for details related to other desirable
control activities as well.
Another more common way to obtain general information about controls can be
achieved by conducting a walkthrough. In conducting walkthroughs, the auditors select
examples of a transaction (in this case, customer remittance advices) and “walk them
through” the information-processing system from their initial receipt all the way to their
recording in the accounting records. Sample documents are collected, and employees
in each department are questioned about their specific duties. The walkthrough, combined with inquiries, can contribute evidence about appropriate separation of duties,
which might be a sufficient basis for a preliminary assessment of control risk. However,
a walkthrough is too limited in scope to provide evidence of whether the client’s control
activities were operating effectively during the period under audit. Rather, to justify a
low control risk assessment and a reduction of substantive testing procedures, an auditor would have to conduct a test of operating effectiveness for the control activity under
consideration.
An entity should establish input, processing, and output control activities to prevent, detect, and correct accounting errors. Auditors can perform tests of controls to
determine whether the internal control activities related to the correct handling of cash
receipts are operating effectively. If the internal control activities are not operating
effectively (e.g., because personnel in the organization are not performing the cash
control activities very well), auditors may need to expand substantive audit procedures
to ensure that the cash balance is not materially misstated and to identify possible
fraudulent acts related to cash.
Exhibit 6.8 contains a selection of tests of controls for cash receipts transactions.
Many of these procedures can be characterized as steps taken to verify the content and
character of sample documents from one file with the content and character of documents
in another file. These steps are designed to enable the audit team to obtain objective evidence about the effectiveness of control activities and about the reliability of accounting
records. An audit plan for tests of controls over cash is found in Appendix 6B.
Control Activities for Cash Disbursements As described in the previous section, the
first step in testing the controls for cash disbursements is to gain an understanding of
the controls and document that understanding. Similar to cash receipts, for cash disbursements, effective internal control begins with making sure that appropriate separation of
duties has been achieved in an organization. Proper separation involves different people and
different departments handling custody of blank documents (checks), cash disbursement
authorization, record keeping for payments, and bank reconciliation:
EXHIBIT 6.8
Tests of Controls for
Cash Receipts
Internal Control
Test of Control
• Cash receipts are deposited intact and daily.
1. Observe the opening of the mail and ensure that:
a.Two employees are opening the mail, remittance
advice is received, and checks are properly
endorsed.
b.A listing of all checks is being prepared and compared
to the total of the deposit ticket for the total of checks.
c.The total amount of the deposit listed in the bank
statement was recorded in the proper period.
• Deposits are reconciled with totals
posted to the accounts receivable
2. For a sample of daily postings to the accounts
receivable subsidiary ledger, trace the amount to the
amount of cash subsidiary ledger.
Chapter 6 Employee Fraud and the Audit of Cash 237
∙ Custody. Blank documents such as blank checks should be kept secure at all times. If
unauthorized persons can obtain a blank check, they can be in another country before
an embezzlement is detected.
∙ Authorization. Cash disbursements are typically authorized by an accounts payable
department’s assembly of purchase orders, vendor invoices, and internal receiving
reports to demonstrate a valid obligation to pay. This assembly of supporting documents is called a voucher and will be discussed in more detail in Chapter 8. (Accounts
payable obligations usually are recorded when the purchaser receives the goods or
services ordered.) A person authorized by management signs the checks. A company
may have a policy to require two signatures on checks over a certain amount (e.g.,
$50,000). Vouchers should be marked “PAID” or otherwise stamped to show that they
have been processed completely so they cannot be paid a second time.
∙ Recording. When checks are prepared, entries are made to debit accounts payable and
credit cash. Someone without access to the check-writing function should always perform the recording function.
∙ Reconciliation. Monitoring of the internal control over cash can be provided by timely
bank reconciliations made by individuals outside of the normal cash operations.
If combinations of two or more of these responsibilities are completed by one person or within the same office, there may be an opportunity for a fraudster to commit a
crime. In addition, and almost more important in today’s environment, is the fact that the
computerized information-processing system must also provide for proper separation of
duties. In practice, this is often accomplished by assigning the proper functional “permissions” to the appropriate employees through their password access credentials. Simply
stated, in a computerized environment, proper separation of duties is dependent on proper
password access controls. This is discussed in more detail in Module H.
Tests of Controls over Cash Disbursements An entity should have detailed control
activities in place and operating to prevent, detect, and correct accounting errors. Auditors can perform tests of controls to determine whether the internal control activities
related to the correct handling of cash disbursements are operating effectively. If the
internal control activities are not operating effectively (e.g., because personnel in the
organization are not performing the cash control activities very well), auditors need to
expand substantive audit procedures to ensure that the cash balance is not materially misstated and to identify possible fraudulent acts related to cash.
Exhibit 6.9 identifies common internal control activities that are designed to prevent
or detect the misappropriation of cash and the typical test of control that would be used
by auditors. As you will note, many of these procedures can be characterized as steps
taken to make it difficult for a fraudster to steal cash. However, there are also controls
designed to detect fraudulent activity if it occurs. The control tests are designed to enable
the audit team to obtain objective evidence about the operating effectiveness of control
EXHIBIT 6.9
Tests of Controls over
Cash Disbursements
Internal Control
Test of Control
• Checks are not printed until voucher packets are
prepared.
• An employee compares amounts on printed
checks with voucher packets prior to submission
for signature.
• Only authorized signers are permitted to sign
checks.
1. For a sample of recorded cash disbursements from
the cash disbursements journal, inspect supporting
documentation for evidence of mathematical
accuracy, correct classification, proper approval,
authorized signature and then compare the
date on the check with the date recorded in the
disbursements journal.
• Checks are prenumbered and accounted for.
2. Scan checks for sequence. Look for gaps in
sequence and duplicate numbers.
• Bank reconciliations are prepared on a timely
basis.
3. Review bank reconciliations to ensure that they
were prepared on a timely basis.
238 Part Two The Financial Statement Audit
activities. Many businesses rarely write paper checks. The controls required for electronic
payments requires the same system of separation of duties. However, the majority of the
access and authorization controls are accomplished through passwords and restrictions of
access to data and accounting information systems.
REVIEW CHECKPOINTS
6.11 What is the basic sequence of activities in the cash collection process?
6.12 Why should a list of cash remittances be made and sent to the accounting department? Wouldn’t it
be easier to send the cash and checks to the accountants so they can enter the credits to customers’ accounts accurately?
6.13 What is lapping? What procedures can auditors employ to detect lapping?
6.14 What feature of the acquisition and expenditure control would be expected to prevent an
employee from embezzling cash by creating fictitious vouchers?
LO 6-6
Give examples of
substantive procedures used
to test cash and relate them
to the relevant assertions.
Substantive Procedures
As you have learned previously while studying audit risk, the primary reason for evaluating the internal control system at an audit client is to reach an overall assessment of
risk of material misstatement for each relevant assertion. In fact, the assessment of risk
of material misstatement is completed to help form the basis for determining the nature,
timing, and extent of substantive testing. Risk of material misstatement at the assertion
level is composed of both inherent risk and control risk for each relevant assertion.
If inherent risk has already been assessed as high, this means that there is high susceptibility for this account to be misstated. Recall that control risk is the probability that
an entity’s controls will fail to prevent or detect material misstatements due to errors or
frauds. Due to the nature of cash, the majority of audit clients have strong controls over
cash, and tests of controls often support a reduction in control risk. This reduction in control risk reduces the auditor’s assessment of the risk of material misstatement over cash.
However, regardless of the final assessment of the risk of material misstatement, as with
any significant account, the auditor will perform at least some substantive procedures
over cash.
As stated previously, there are two types of substantive tests: analytical procedures
and tests of detail and balances. As you may recall, a substantive analytical procedure is
one where the auditor substantiates an account or disclosure by developing an independent estimate of the amount and then comparing the recorded balance to the estimate.
Due to the lack of predictability of the cash balance, auditors rarely, if ever, use substantive analytical procedures to test cash. Rather, auditors typically rely exclusively on
tests of detail. For example, auditors will generally test the bank reconciliations in detail,
including sending confirmations to all banks in order to substantiate the existence of
cash. Exhibit 6.10 presents the substantive tests that are likely to be completed to address
remaining risks of material misstatement related to cash.
Without question, the most important test of detail completed on cash is to test the
details of the entity-prepared and reviewed bank reconciliation for each significant banking relationship, including confirmation of the balance with the financial institution. For
that reason, our discussion of substantive procedures will focus almost exclusively on
testing the bank reconciliation in detail. In effect, the auditor needs to obtain the bank reconciliation for each significant account and audit the details contained on each of them.
In a well-functioning control environment, auditors should never have to perform the
company’s internal control activity of preparing the bank reconciliation. Always remember that the timely completion of the bank reconciliation is the responsibility of the client
and is a critical element of internal control over cash.
Chapter 6 Employee Fraud and the Audit of Cash 239
EXHIBIT 6.10 Substantive Tests
Significant
Account
Relevant
Assertions
Cash
Possible Substantive Tests of
Detail
Internal Control Activity
Tests of Internal Control
Existence
The CFO perfoms a
detailed review of the bank
reconciliation on a monthly
basis.
For a sample of bank
reconciliations, reperform
the reconciliation. Trace
several reconciling items to
the appropriate supporting
documentation.
Test the bank reconciliation
details for each significant cash
account being held. Confirm the
bank balance with each financial
institution.
Valuation
The treasurer reviews the
cash translation adjustment
calculation monthly and
independently checks that the
appropriate spot rate has been
used for each foreign currency.
Inspect the monthly cash
translation adjustment
calculation for evidence of the
treasurer’s review.
For a sample of monthly
cash translation adjustment
calculations, trace each foreign
currency spot rate to a third-party
pricing service.
Presentation
and disclosure
The corporate secretary reviews
the cash footnote disclosure on
a quarterly basis to ensure that
all legal restrictions on the cash
balance have been properly
disclosed.
For a sample of cash accounts,
reperfom the work completed
by the corporate secretary to
ensure that all cash restrictions
have been properly disclosed.
For a sample of cash accounts,
examine the legal agreements
with each financial institution.
Based on the examination,
determine whether the audit client
has properly disclosed any legal
restrictions in their footnotes.
Bank Reconciliation
A client-prepared bank reconciliation is shown in Exhibit 6.11. When auditing the bank
reconciliation, the auditor should begin by confirming the account balance listed as the
“balance per bank” on the top of the bank reconciliation for each bank account from each
bank that the client utilizes in the business. The auditor is required to send a confirmation
request, and each bank should respond directly to the public accounting firm’s office.
This procedure is important because the auditor needs to make sure that the confirmation request was actually completed by an independent professional at a third-party bank.
In fact, despite suspicions about unusual cash arrangements, Ernst & Young GmbH
signed off on the audit opinion for three years for Wirecard, a fintech company based
in Germany, before recognizing material fraudulent financial reporting. A description is
found in the nearby Auditing Insight.
AUDITING INSIGHT
The Dangers of Bank Confirmations
Wirecard AG was a “shining star” of the European tech scene. The
company processed payments for a wide variety of online businesses
and recorded huge amounts of revenue from its operations. However,
much of it was a sham. Approximately $2.1 billion of the company’s
cash did not exist. The auditors, Ernst & Young GmbH, verified the
amounts through confirmation. However, the scanned electronic copies of the confirmations from two Philippine banks proved to be fraudulent. When the auditors requested additional support in March 2020,
it was discovered that the banks in question never held any cash for
Wirecard. Unlike many revenue fraud schemes that involve fictitious
accounts receivable, CEO Markus Braun inflated cash and confused
the auditors with multiple offshore bank accounts. This incident further demonstrates an advantage of electronic confirmations received
directly through a secure portal from known and registered banks.
Source: “Wirecard Scandal Puts Spotlight on Auditor Ernst & Young,” The Wall
Street Journal, June 27, 2020.
The Auditing Insight “The Dangers of Bank Confirmations” demonstrates the difficulties
auditors can have with authenticating the source of confirmations. The use of third-party
electronic information intermediaries, such as Confirmation (formerly called Confirmation.
com), has changed the process of cash confirmation greatly over the past decade, but it has
not reduced the auditor’s responsibility to authenticate the source of the information.
240 Part Two The Financial Statement Audit
EXHIBIT 6.11
Bank Reconciliation
It is rare for a bank to respond to a paper request for confirmation, and thus nearly all
audit firms confirm bank balances through a third-party intermediary, often Confirmation.
A standard confirmation request to a bank will also confirm outstanding loan balances,
which will provide substantive evidence to test the existence and completeness assertions
for liabilities. We will discuss substantive tests of loan balances in more detail in Chapter 10.
As discussed above with the Satyam case, the key issue with confirmations of any kind
is the reliability of the response. The use of electronic confirmation through an intermediary
such as Confirmation provides many benefits to the auditor. It allows information to be
transmitted in a safe and secure manner, and most importantly, it allows for validation of
the authenticity of the bank employee responding to the confirmation request, an issue
which was previously a major concern for auditors. Before an auditor can rely on an
electronic confirmation, the auditor must obtain an understanding of the intermediary’s
internal control system. In most situations, the auditor relies upon a report provided by
Chapter 6 Employee Fraud and the Audit of Cash 241
another auditor who audited the design and operating effectiveness of the intermediary under
SSAE 16, and provided a Service Organization Controls (SOC) report, most commonly a
SOC1 report. SOC reports are discussed in more detail in Module A.
The confirmation process through an online intermediary generally requires the registration of the auditor, the client, and the financial institution, although in some situations,
the intermediary will make paper confirmation requests on behalf of an auditor. Clients
must provide electronic authorization in order for the auditor to request confirmation.
Upon authorization, the auditor will initiate a confirmation request. Unlike traditional
paper confirmations which often take multiple weeks for completion, electronic confirmation requests are often completed in a matter of days.
Exhibit 6.12 provides an example of a standard electronic bank confirmation performed
through Confirmation. You will note in Exhibit 6.12 that the auditor can also confirm
outstanding loan balances listed on the balance sheet. As shown, the auditors would be
gathering evidence to test the completeness assertion for liabilities because the auditor
would trace the information provided by the bank to loan balances listed on the balance
sheet. We will discuss substantive tests of the loan balance in more detail in Chapter 10.
A word of caution is in order. Although financial institutions may note exceptions
to the information requested in a confirmation and may confirm items omitted from it,
the AICPA warns auditors that sole reliance on a confirmation to satisfy the completeness
assertion for cash and liabilities is inappropriate. Employees of financial institutions
cannot be expected to search their information systems for balances and loans that may
not be immediately evident as the client company’s assets and liabilities—in fact the
electronic response shown here specifically notes that.
Once the “balance in the bank” has been confirmed and cross-referenced to the
balance in the bank reconciliation, the following additional procedures are typically used
in auditing the bank reconciliation:
∙ Test the mathematical accuracy of the reconciliation, including the listing of outstanding
checks and deposits in transit.
∙ Examine reconciling items to ensure they are appropriately classified (e.g., that they
were legitimate outstanding checks that were written but not paid by the bank at the
statement date).
∙ Reconcile the book balance to the trial balance, which has been traced to the general
ledger.
The auditors’ information source for validating the bank reconciliation items is typically
a cutoff bank statement, which is normally a complete bank statement for the month
following the date of the financial statements. The cutoff bank statement is important
because it (1) is received directly by the auditors (which qualifies as external evidence)
and (2) documents important bank transactions occurring early in the subsequent period.
These transactions subsequent to the date of the financial statements are important for
testing the completeness of the client’s outstanding check list as well as the existence of any
deposits in transit. The bank cutoff statement can also be used in a search for unrecorded
liabilities discussed in more detail in Chapter 8.
Deposits in transit should be vouched from the bank reconciliation to the bank cutoff
statement (existence) and should have been recorded by the bank in the first business
days of the cutoff period. If recorded later, the inference is that the deposit may have been
composed of receipts of the period after the date of the financial statements.
When auditing reconciling items that decrease cash (i.e., outstanding checks) listed on
the bank reconciliation and because the audit team is most concerned about the existence
of cash (i.e., overstatement) rather than the completeness of cash (i.e., understatement),
the completeness of the outstanding checks listing is more critical than to support the
existence of such checks. Comparably, when auditing reconciling items that increase cash
(i.e., deposits in transit) listed on the bank reconciliation, the existence of the depositsin-transit on the reconciliation is more critical than their completeness because the audit
team is most concerned about the existence of cash (i.e., overstatement) rather than the
242 Part Two The Financial Statement Audit
EXHIBIT 6.12
Bank
Confirmation
Chapter 6 Employee Fraud and the Audit of Cash 243
completeness of cash (i.e., understatement). As a result, the audit team traces outstanding
checks that cleared on the cutoff bank statement (and were either returned with that statement or identified in that statement) to the client’s list of outstanding checks for evidence
that all checks that were written prior to the reconciliation date were included on the
list of outstanding checks. Additionally, canceled checks should be traced to the cash
disbursements listing (journal). For large outstanding checks not clearing in the cutoff
period, other documentation supporting the disbursement may be used. These procedures
are key and described by tick marks in Exhibit 6.11. As the next Auditing Insight suggests, it is important to pay close attention to possible errors in the bank reconciliation.
AUDITING INSIGHT
The Darn Stuff Is So Easy to Count
Through the use of discretionary estimates, HealthSouth, one of the
largest health care providers in the United States, inflated its assets by
$1.5 billion. In an even more bizarre twist, the company overstated its
cash by more than $300 million, according to prosecutors. Because
auditors use standardized forms to confirm cash balances with financial institutions, how the auditors missed the cash overstatement is
a mystery. “I’m shocked that cash is manipulated and overstated,
because the darn stuff is so easy to count,” stated one audit expert.
Nevertheless, auditors must never take the cash balance for granted
when conducting the audit.
Source: “Did HealthSouth Auditor Ernst Miss Key Clues to Fraud Risks?”
The Wall Street Journal, April 10, 2003.
REVIEW CHECKPOINT
6.15 What is a bank reconciliation? Who should prepare it and how do auditors use it?
“EXTENDED PROCEDURES” TO DETECT FRAUD
LO 6-7
Describe some extended
procedures for detecting
employee fraud schemes
involving cash.
The auditing literature often refers to “extended procedures,” which are “specific
responses to fraud risk factors.” Although the professional standards list a few of these
procedures, an exhaustive list would be very lengthy. Moreover, authorities fear that a
definitive list might limit the range of such procedures, so extended procedures are generally identified as whatever is necessary in the circumstances. This section describes some
of the extended procedures and warns that (1) some auditors may consider them ordinary
and (2) other auditors may consider them unnecessary in any circumstances. They are
useful detective procedures in either event. Consider the following procedures.
Schedule of Interbank Transfers
Due to the nature of the cash balance, auditors also will sometimes, although rarely
because of decreased float times, prepare a schedule of interbank transfers to determine
whether transfers of cash from one bank to another were recorded properly (correct
amount and correct date). The audit team should also be alert to the possibility of a
company’s practice of illegal “kiting.” Check kiting is the deliberate floating of funds
between two or more bank accounts in order to make it appear that more cash is present
than is really the case. When a check is deposited in one bank, the cash receipts journal
immediately includes that deposit. At the same time, the check, drawn on a different
bank account, does not appear in the cash disbursements journal for several days. By this
method, an entity can use the time required for checks to clear to inflate the cash amount
on the entity’s books. Advances in information technology and increased bank scrutiny
have reduced the incidences of check kiting dramatically in recent years. However, auditors must still be aware of the possibility; and the schedule of interbank transfers is a
technique designed to detect the practice.
244 Part Two The Financial Statement Audit
These are some characteristic signs of check-kiting schemes:
∙ Frequent deposits and checks in rounded and the same amounts.
∙ Frequent deposits with checks written on the same (other) banks.
∙ Short time lags between deposits and withdrawals.
∙ Frequent ATM account balance inquiries.
∙ Many large deposits made on Friday to take advantage of the weekend.
∙ Large periodic balances in individual accounts with no apparent business explanation.
∙ Low average balance compared to high level of deposits.
∙ Many checks made payable to other banks.
∙ Banks’ willingness to pay against uncollected funds.
∙ “Cash” withdrawals with deposit checks drawn on another bank.
∙ Checks drawn on foreign banks with lax banking laws and regulations.
Today, banks have implemented the Check Clearing for the 21st Century Act, referred
to as “Check 21.” In this system, checks are converted to digital images, allowing for a
dramatic increase in speed in check clearing. The benefit is that the “float” on the check
is virtually eliminated, and kiting becomes difficult to perform and conceal. However, in
the Check 21 system, the paper check is usually destroyed, a hard copy of the check is
never returned to the customer or its bank, and consequently, the nature of the audit trail
is significantly different. In investigating possible fraud, the audit team is able to obtain
only an electronic copy of the front of the check and the controls over the safeguarding of
the imaging files will be of great importance.
Proof of Cash
Auditors can use another method to discover unrecorded cash transactions. It is called a
proof of cash. The proof of cash is a reconciliation in which the bank balance, the bank
report of cash deposited, and the bank report of cash paid are all reconciled to the corresponding records maintained in the entity’s general ledger, cash receipts journal, and
cash disbursements journal.
The proof of cash attempts to reconcile the deposits and payments reported by the
bank to the deposits and payments recorded in the cash receipts and cash disbursements
journals, respectively, as well as the final general ledger totals. The proof of cash is a very
effective procedure to verify cash transactions but is usually used only when controls over
cash are weak, which is rarely the case. Thus, a proof of cash is not always performed in
an audit of cash.
Count and Recount Cash on the Same Day
If a client maintains a significant amount of cash on hand, such as a financial institution
or some retailers, a second cash count is unexpected. Auditors might catch an embezzling
employee who incorrectly believes that “the auditors are gone, so now it’s safe!” Auditors should always make sure a client employee is present during the count and that the
employee signs for the returned cash so the auditor cannot be blamed for any shortages.
Another “trick of the trade” is to make sure that the auditor’s pockets are empty (leave
wallets locked up safely elsewhere) when counting client cash on hand. This is especially
important when counting cash at a financial services client such as a bank or credit union.
All cash should be counted simultaneously to prevent embezzling employees from substituting cash from other places. If this is not possible (e.g., the employee claims that he or
she does not have the safe combination), there is audit tape (similar to police tape) to seal
the safe until it can be opened with the auditor present. If the seal is broken, the auditor’s
suspicions should be raised.
Chapter 6 Employee Fraud and the Audit of Cash 245
AUDITING INSIGHT
Free Givenchy, Anyone?
Identity theft and hacking have become a major headache for both
businesses and consumers. But sometimes, identity theft can be low
tech. Five sales associates for Saks Fifth Avenue used stolen customer personal information to purchase hundreds of thousands of
dollars of high-end handbags and shoes from the retailer’s famous
Manhattan location. A ringleader stole the information and recruited
associates and customers to assist with the scheme. The associates
would use fake customers to make the purchases, then sell the items
on the black market or return them to the store.
Source: “5 Indicted in Alleged Saks Fifth Avenue ID Theft Shopping Spree,”
ABC News, October 6, 2014.
Retrieve Customers’ Checks
If an employee has diverted customer payments for his or her own use, the canceled
checks and deposits to a bank where the company has no account are not available
because they are returned to the issuing customer. Ask the customer to give copies of the
front of the check or provide access for examination.
Use Marked Coins and Currency
Plant marked money in locations where cash collections should be gathered and turned
over for deposit.
Analyze the Mix of Cash and Checks in Deposits
This procedure is most effective for retail operations in which cashiers receive significant
amounts of both cash and checks. Unless there is a marked change in consumer behavior, one
should expect the mix of cash and checks to be relatively consistent over time. A decrease in
the proportion of cash in the mix is often a sign that employees may be stealing cash.
Measure Deposit Lag Time
Compare the date of the deposit slip to the date recorded as a debit in the general ledger to
the date the deposit was credited in the account by the bank. Someone who takes cash and
then holds the deposit for the next cash receipt to make up the difference causes a delay
between the date of recording and the bank’s date of deposit.
Document Examination
When performing this procedure, auditors will look for erasures, alterations, and photocopies where originals should be filed, telltale lines from a copier when a document has
been pieced together, handwriting, and other oddities. Auditors should always insist on
seeing original documents instead of photocopies. Importantly, while professional document examination is a technical activity that requires special training (e.g., training by
the IRS, FBI), crude alterations may still be observed by the auditor when performing
procedures, which should lead to a consultation with a professional document examiner
when deemed necessary.
Inquiry
Be careful not to discuss fraud possibilities with the managers who might be involved.
It gives them a chance to cover up their fraud or even resign from the organization prior
to detecting the fraud. Described as a nonaccusatory method of asking key questions of
personnel during a regular audit, fraud audit questioning provides employees an opportunity to furnish information about possible misdeeds. Fraud possibilities are addressed in
a direct manner, so this approach must have the support of management. Example questions are: “Do you think fraud is a problem for business in general?” “Do you think this
246 Part Two The Financial Statement Audit
company has any particular problem with fraud?” “In your department, who is beyond
suspicion?” “Is there any information you would like to furnish regarding possible fraud
within this organization?”8
Covert Surveillance
When performing this procedure, auditors will observe activities while not being seen. For
example, audit team members might watch employees as they punch in to a work shift,
observing whether they use only one time card. Casino auditors actually get paid to gamble
so they can observe cash-handling procedures. Traveling hotel auditors may check in unannounced, use the restaurant and entertainment facilities, and observe employees to determine if they are stealing cash receipts or tickets. (Trailing people on streets, undercover
surveillance, and maintaining a “stake-out” should be left to trained investigators.)
AUDITING INSIGHT
The Case of the Extra Checkout
The district manager of the grocery store could not understand why
receipts and profitability had fallen and inventory was hard to manage at one of the largest stores in her area. She hired an investigator
who covertly observed the checkout clerks and reported that no one
had shown suspicious behavior at any of the nine checkout counters.
“Nine? That store only has eight,” she exclaimed! As it turns out, the
local store manager had installed another checkout aisle not connected to the cash receipts and inventory maintenance central computer and was pocketing all the receipts from that register.
Source: Association of Certified Fraud Examiners (ACFE), “Auditing for Fraud.”
Horizontal and Vertical Analyses
Horizontal and vertical ratio analysis procedures are very similar to preliminary analytical procedures explained in earlier chapters. Horizontal analysis refers to changes of
financial statement numbers and ratios across several years. Vertical analysis refers to
financial statement amounts expressed each year as proportions of a base such as sales for
the income statement accounts and total assets for the balance sheet accounts. Auditors
look for relationships that do not appear logical as indicators of potential large misstatement and fraud.
Net Worth Analysis
This analysis is used when fraud has been discovered or strongly suspected and the information to calculate a suspect’s net worth can be obtained (e.g., asset and liability records,
bank accounts). The method involves calculating the suspect’s net worth (known assets
minus known liabilities) at the beginning and end of a period (months or years) and then
trying to account for the difference as (1) known income less living expenses and (2)
unidentified difference. The unidentified difference may be the best available approximation of the amount of a theft.
Expenditure Analysis
This analysis is similar to net worth analysis except the data are the suspect’s spending for
all purposes compared to known income. If spending exceeds legitimate and explainable
income, the difference may be the amount of a theft.
Reasonableness Tests
Often, auditors become so involved in ticking and tying numbers that they forget to ask
themselves the simplest questions: Where is the cash going? For what purpose? Is this
reasonable? The answers to these questions often motivate the auditor to ask more penetrating questions of management and to dig for more evidence.
8
Joseph T. Wells, “From the Chairman: Fraud Audit Questioning,” The White Paper, National Association of Certified Fraud Examiners, May–June 1991, p. 2. This technique must be used with extreme care and practice.
Chapter 6 Employee Fraud and the Audit of Cash 247
REVIEW CHECKPOINTS
6.16 Why would an auditor prepare a proof of cash?
6.17 What is the difference between a normal procedure and an extended procedure?
6.18 What can an auditor find using net worth analysis? Expenditure analysis?
Summary
Key Terms
Although auditing standards concentrate on management fraud—the production of materially false and misleading financial statements (i.e., fraudulent financial reporting)—professional standards also require auditors to consider employee fraud perpetrated against an
entity. Attention to employee fraud is important in the context that the cover-up may create financial statement misstatements (e.g., overstating inventory to disguise unauthorized
removal of valuable products). The three conditions that are likely to be present when a
fraud occurs (Exhibit 6.1) are commonly referred to as the “fraud triangle.” The first condition (incentive/pressure) recognizes that an employee or a manager of a company is likely
to either have incentives in place (e.g., bonus compensation) or be under significant pressure to meet specific estimates, forecasts, or expectations about net income. The second
condition (opportunity) recognizes that in order for a fraud to be perpetrated, there must be
a weakness in the system of internal control to allow the fraud to occur. Finally, the third
condition (attitude/rationalization) recognizes that for an employee or a manager of a company to perpetrate a fraud, the individual must possess an “attitude” that allows her or him
to rationalize that she or he is knowingly committing a crime.
Audit team members need to know about the red flags, those telltale signs and indications that have accompanied many frauds. When studying a business operation, members’
ability to “think like a crook” to devise ways to steal can help in planning procedures
designed to determine whether fraud has happened. Often, imaginative “extended procedures” can be employed to unearth evidence of fraudulent activity. Audit team members
must always exercise technical and personal care, however, because accusations of fraud are
taken very seriously. For this reason, after preliminary findings indicate fraud possibilities,
the audit team should enlist the cooperation of management and assist fraud examination
professionals when bringing an investigation to a conclusion.
Once the relevant assertions have been identified for cash (e.g., existence) and the tests
of control activities are complete, the auditor must evaluate the evidence obtained from
risk assessment activities and control tests to determine the risk of material misstatement
for each relevant assertion. Cash is highly liquid, very portable, and not easily identifiable.
For these reasons, cash is often the primary target of fraudulent activities and must be
carefully controlled and monitored. Accordingly, controls over cash receipts and disbursements must be strong. With respect to auditing the cash balance, the detailed procedures performed on the bank reconciliation provide evidence about the existence of cash.
Additional procedures can be performed to try to detect attempts at lapping accounts
receivable collections. These procedures include comparing the details of customer payments
listed in bank deposits to the details of customer payment postings (remittance lists).
check kiting: The practice of building up balances in one or more bank accounts based on
uncollected (floating) checks drawn against similar accounts in other banks, 243
cutoff bank statement: A client bank statement (usually sent directly to the auditor) that includes
all paid checks and deposits made through a certain date, usually the end of the month following
the financial statement date, 241
direct-effect illegal acts: The violations of laws or government regulations by a company or its
management or employees that produce direct and material effects on dollar amounts in financial
statements, 218
embezzlement: A type of fraud involving employees or nonemployees wrongfully taking money
or property entrusted to their care, custody, and control, often accompanied by false accounting
entries and other forms of lying and cover-up, 218
248 Part Two The Financial Statement Audit
employee fraud (also called misappropriation of assets): The use of fraudulent means to take
money or other property from an employer. It consists of three phases: (1) the fraudulent act,
(2) the conversion of the money or property to the fraudster’s use, and (3) the cover-up, 218
errors: The unintentional misstatements or omissions of amounts or disclosures in financial
statements, 218
fidelity bond: An insurance policy that covers most kinds of cash embezzlement losses, 235
fraud: The misrepresentation of facts that the individual knows to be false with the intention to
deceive, 217
lapping: The theft of a payment and the application of subsequent payments to cover the theft, 235
lockbox: An arrangement in which a fiduciary (e.g., a bank) receives the payments, lists the
receipts, deposits the money, and sends the remittance advices (stubs showing the amount
received from each customer) to the company, 234
management fraud: The deliberate fraud committed by management that injures investors and
creditors through materially misleading information, 218
misappropriation of assets: See employee fraud, 218
motive: In the fraud context, essentially a reason for a person to take a fraudulent action that is
believed to be unshareable with friends and confidants, 220
proof of cash: A reconciliation in which the bank balance, the bank report of cash deposited, and
the bank report of cash paid are all reconciled to the company’s general ledger and cash receipts
and disbursements journals, 244
schedule of interbank transfers: A document prepared for use in analyzing whether transfers of
cash from one bank to another were recorded properly (correct amount and correct date), 243
Multiple-Choice
Questions for
Practice and
Review
LO 6-2
LO 6-3
LO 6-3
LO 6-3
All applicable Exercises and Problems are available
with Connect.
6.19 When auditing with “fraud awareness,” auditors should especially notice and follow up
employee activities under which of these conditions?
a. The company always estimates the inventory but never takes a complete physical count.
b. The petty cash box is always locked in the desk of the custodian.
c. Management has published a company code of ethics and sends frequent communication newsletters about it.
d. The board of directors reviews and approves all investment transactions.
6.20 The best way to enact a broad fraud prevention program is to
a. Install airtight control systems of checks and supervision.
b. Name an “ethics officer” who is responsible for receiving and acting on fraud tips.
c. Place dedicated hotline telephones on walls around the workplace with direct communication to the company ethics officer.
d. Practice management “of the people and for the people” to help them share personal and
professional problems.
6.21 A good fraud prevention program should address employees’ motivation to steal from the
company. The best method for doing this is to
a. Establish employee assistance programs.
b. Require a fidelity bond on all employees.
c. Require reconciliations of all accounts to be reviewed by a supervisor.
d. Ensure that all accounts with high inherent risk of fraud are audited.
6.22 A code of ethics is an important element of a fraud prevention program. Which of the following would diminish the effectiveness of a company’s code of conduct?
a. The establishment of a chief ethics officer.
b. The establishment of a hotline for reporting unethical behavior.
c. The violation of the code of ethics by senior management.
d. The posting of the code of ethics in the company workplace.
Chapter 6 Employee Fraud and the Audit of Cash 249
LO 6-2
6.23 Which of the following is least indicative of fraudulent activity?
a. Numerous cash refunds have been made to different people at the same post office box
address.
b. Internal auditors cannot locate several credit memos to support reductions of customers’
balances.
c. Bank reconciliation has no outstanding checks or deposits older than 15 days.
d. Three people were absent the day the auditors handed out the paychecks and have not
picked them up four weeks later.
LO 6-6
6.24 When performing confirmation of cash balances with a bank, the auditor is primarily gathering
evidence related to which financial statement assertion?
a. Existence
b. Completeness
c. Valuation
d. Presentation and Disclosure
LO 6-6
6.25 Which of the following is true about electronic cash confirmations obtained through
Confirmation (Confirmation.com)?
a. Responses to electronic confirmations are often delayed compared with manual
confirmations.
b. Electronic cash confirmations provide more convincing evidence for the completeness
assertion than manual confirmations.
c. Auditors must obtain evidence supporting the reliability of controls surrounding the
Confirmation (Confirmation.com) process.
d. It is more difficult to determine the authenticity of an electronic confirmation obtained
through Confirmation compared with confirmations mailed to the auditors.
LO 6-5
6.26 Allison Everhart, an employee in accounts payable, believes she can run a fictitious invoice
through the accounts payable system and collect the money. She knows payments are
subject to an audit. Which account would be the best place to hide the fraud?
a. Inventory
b. Wage expense
c. Consulting service expense
d. Property tax expense
LO 6-1
6.27 Which of these arrangements of duties could most likely lead to an embezzlement or theft?
a. The inventory warehouse manager has responsibility for making the physical inventory
observation and reconciling discrepancies to the perpetual inventory records.
b. The cashier prepared the bank deposit, endorsed the checks with a company stamp, and
delivered the cash and checks to the bank for deposit (no other bookkeeping duties).
c. The accounts receivable clerk received a list of payments received by the cashier so he
could make entries in the customers’ accounts receivable subsidiary accounts.
d. The financial vice president received checks made out to suppliers and the supporting
invoices, signed the checks, and mailed the checks.
LO 6-5
6.28 Which of the following would the auditor consider to be an incompatible operation if the
cashier receives remittances?
a. The cashier prepares the daily deposit.
b. The cashier makes the daily deposit at a local bank.
c. The cashier posts the receipts to the accounts receivable subsidiary ledger cards.
d. The cashier endorses the checks.
LO 6-5
6.29 Which of the following is an effective audit procedure that an auditor might use to detect
kiting between intercompany banks?
a. Review the composition of authenticated deposit slips.
b. Review subsequent bank statements.
c. Prepare a schedule of the bank transfers.
d. Prepare a year-end bank reconciliation.
250 Part Two The Financial Statement Audit
LO 6-5
6.30 Immediately upon receipt of cash, a responsible employee should
a. Record the amount in the cash receipts journal.
b. Prepare a remittance listing.
c. Update the subsidiary accounts receivable records.
d. Prepare a deposit slip in triplicate.
(AICPA adapted)
LO 6-4
6.31 Each morning the controller gets the prior day’s list of remittances, a copy of the payment
report, and a copy of the deposit slip returned from the bank. When comparing these items,
the controller would be able to determine that
a. No checks were returned for insufficient funds.
b. The cash received and remittance advice received were maintained in a single batch.
c. The accounts receivable system has controls over unauthorized access.
d. The assistant controller does not also reconcile the subsidiary accounts payable.
LO 6-4
6.32 Upon receipt of customers’ checks in the mail room, a responsible employee should prepare
a remittance list that is forwarded to the cashier. A copy of the list should be sent to the
a. Internal auditor to investigate the list for unusual transactions.
b. Treasurer to compare the list with the monthly bank statement.
c. Accounts receivable bookkeeper to update the subsidiary accounts receivable records.
d. Entity’s bank to compare the list with the cashier’s deposit slip.
(AICPA adapted)
LO 6-4
6.33 Cash receipts from sales on account have been misappropriated. Which of the following acts
would conceal this defalcation and be least likely to be detected by an auditor?
a. Understating the sales journal.
b. Overstating the accounts receivable control account.
c. Overstating the accounts receivable subsidiary ledger.
d. Overstating the sales journal.
LO 6-1
6.34 Embezzlement is a type of fraud that involves
a. An employee’s misappropriating an employer’s money or property not entrusted to him
or her.
b. A manager’s falsification of financial statements for the purpose of misleading investors
and creditors.
c. An employee’s mistaken representation of opinion that causes incorrect accounting entries.
d. An employee misappropriating an employer’s money or property entrusted to the
employee’s control in the employee’s normal job.
LO 6-5
6.35 Which of the following control activities would best protect against the preparation of
improper or inaccurate cash disbursements?
a. All checks must be signed by an officer designated by the board of directors.
b. All signed checks must be reviewed and compared with supporting documentation by
the treasurer before mailing.
c. All checks must be sequentially numbered and accounted for by internal auditors.
d. All checks must be perforated or otherwise effectively canceled when they are returned
with the bank statement.
LO 6-4
6.36 During an audit of cash, the auditor is most concerned with the management assertion of
a. Existence.
b. Rights and obligations.
c. Valuation or allocation.
d. Occurrence.
LO 6-6
6.37 In preparing for the audit of cash, the auditors perform analytical procedures concerning
cash balances. Which of the following would be the best source of information for use in the
estimate of cash?
a. Prior-years’ balances.
b. Management inquiry.
Chapter 6 Employee Fraud and the Audit of Cash 251
c. Cash budgets.
d. Aged accounts receivable reports.
LO 6-5
LO 6-2
6.38 Which of the following control activities could prevent a paid disbursement voucher from
being presented for payment a second time?
a. Vouchers should be prepared by individuals who are responsible for signing disbursement
checks.
b. Disbursement vouchers should be approved by at least two responsible management officials.
c. The date on a disbursement voucher should be within a few days of the date the voucher
is presented for payment.
d. The official signing the check should compare it with the voucher and should stamp
“paid” on the voucher documents.
6.39 Fraud risk factors are events or conditions that indicate which of the following?
a. An opportunity to carry out a fraud.
b. An attitude or rationalization that justifies a fraudulent action.
c. An incentive or pressure to perpetrate fraud.
d. All of these are correct.
LO 6-7
6.40 If the auditor believes that a misstatement is or might be intentional and the effect on the
financial statements could be material or cannot be readily determined, the auditor should do
which of the following?
a. Inquire of management as to the possibility of fraud.
b. Discuss with the audit committee what should be done to prevent possible future
misstatements.
c. Perform procedures to obtain additional audit evidence to determine whether fraud has
occurred or is likely to have occurred.
d. Both (a) and (b) are correct.
e. None of these is correct.
LO 6-7
6.41 In what way can audit procedures be modified to address assessed fraud risks?
a. Obtain more reliable information.
b. Perform procedures close to year-end.
c. Apply computer-assisted techniques to all items.
d. All of these are valid modifications.
LO 6-7
6.42 Incorporating elements of unpredictability in the selection of audit procedures to be performed by auditors include all of the following except
a. Varying the timing of the audit procedures.
b. Selecting items for testing that have lower amounts or are otherwise outside customary
selection parameters.
c. Performing audit procedures on an unannounced basis.
d. Sending attorney letters to every attorney listed under the legal expense account.
e. None of these is correct.
LO 6-2
6.43 Fraud risk factors are events or conditions that indicate
I. An incentive or pressure to perpetrate fraud.
II. An opportunity to carry out the fraud.
III. An attitude or rationalization that justifies the fraudulent action.
Which of the following statements is true?
a. I is a fraud risk factor.
b. I and II are fraud risk factors.
c. II and III are fraud risk factors.
d. None of these is a fraud risk factor.
e. I, II, and III are fraud risk factors.
252 Part Two The Financial Statement Audit
Exercises and
Problems
LO 6-5
All applicable Exercises and Problems are available
with Connect.
6.44
Tests of Controls over Cash Disbursements. The Runge Controls Corporation manufactures and markets electrical control systems: temperature controls, machine controls,
burglar alarms, and the like. The company acquires electrical and semiconductor parts
from outside vendors and assembles systems in its own plant. The company incurs other
administrative and operating expenditures. Liabilities for goods and services purchased are
entered in a vouchers payable journal, at which time the debits are classified to the asset
and expense accounts to which they apply.
The company has specified control activities for approving vendor invoices for payment, for signing checks, for keeping records, and for reconciling the checking accounts.
The procedures appear to be well specified and in operation.
You are the senior auditor on the Runge engagement and need to specify a list of test of
control procedures to evaluate the effectiveness of the controls over cash disbursements.
Required:
Using management’s assertions over transactions as a guide, specify two or more tests of
control procedures to audit the effectiveness of typical control activities. (Hint: From one
sample of recorded cash disbursements, you can specify procedures related to several
objectives. See Exhibit 6.9 for examples of test of control procedures over cash disbursements.) Organize your list according to the following example for the “completeness”
assertion.
Completeness Assertion
Test of Controls
All valid cash disbursements are recorded Determine the numerical sequence of
and none are omitted.
checks issued during the period and
scan the sequence for missing numbers.
(AICPA adapted)
LO 6-5
6.45 Internal Control Questionnaire for Book Buy-Back Cash Fund. Taylor, a CPA, has
been engaged to audit the financial statements of University Books, Incorporated. University Books maintains a large cash fund exclusively for the purpose of buying used books
from students for cash. The cash fund is active all year because the nearby university offers
a large variety of courses with varying starting and completion dates throughout the year.
Receipts are prepared for each purchase. Reimbursement vouchers periodically are submitted to replenish the fund.
Required:
Construct an internal control questionnaire to be used in evaluating the internal control over
University Books’ repurchasing process using the revolving cash fund. The internal control
questionnaire should elicit a yes or no response to each question. Do not discuss the internal
controls over books that are purchased from publishers.
(AICPA adapted)
LO 6-5
6.46 Test of Controls over Cash Receipts. You are the in-charge auditor examining the financial statements of the Gutzler Company for the year ended December 31. During late October, with the help of Gutzler’s controller, you completed an internal control questionnaire
and prepared the appropriate memoranda describing Gutzler’s accounting procedures. Your
comments relative to cash receipts are as follows:
∙ All cash receipts are sent directly to the accounts receivable clerk with no processing
by the mail department. The accounts receivable clerk keeps the cash receipts journal,
prepares the bank deposit slip in duplicate, posts from the deposit slip to the subsidiary
accounts receivable ledger, and mails the deposit to the bank.
∙ The controller receives the validated deposit slips directly (unopened) from the bank.
She also receives the monthly bank statement directly (unopened) from the bank and
promptly reconciles it.
Chapter 6 Employee Fraud and the Audit of Cash 253
∙ At the end of each month, the accounts receivable clerk notifies the general ledger clerk
by journal voucher of the monthly totals of the cash receipts journal for posting to the
general ledger.
∙ With regard to the general ledger cash account, the general ledger clerk makes an entry each
month to record the total debits to cash from the cash receipts journal. In addition, the general
ledger clerk, on occasion, makes debit entries in the general ledger cash account from sources
other than the cash receipts journal, for example, funds borrowed from the bank. In the audit
of cash receipts, you have already performed certain standard audit procedures:
∙ All columns in the cash receipts journal have been totaled and cross-totaled.
∙ Postings from the cash receipts journal have been traced to the general ledger.
∙ Remittance advices and related correspondence have been traced to entries in the cash
receipts journal.
Required:
Considering Gutzler’s internal control over cash receipts and the standard audit procedures
already performed, list all other audit procedures that should be performed to obtain sufficient
appropriate audit evidence regarding controls over cash and give the reasons for each procedure.
Do not discuss the procedures for cash disbursements and cash balances. Also, do not discuss
the extent to which any of the procedures are to be performed. Assume that adequate controls
exist to ensure that all sales transactions are recorded. Organize your answer sheet as follows:
(AICPA adapted)
Other Audit Procedure
LO 6-3
Reason for Other Audit Procedures
6.47 Internal Control over Sales Returns. You are the auditor for Konerko’s Office Supply
Store, which is opening for business next week. The store owner has established all the
controls you have recommended for ensuring that sales are recorded properly and cash is
accounted for. The owner has heard from other small business owners that employees often
used returned goods as means of skimming money from the register.
Required:
a. How might an employee use returned goods to skim money from the register?
b. What controls would you recommend to prevent or detect fraudulent returns?
c. What audit procedures might you perform to detect fraudulent returns?
LO 6-6
6.48 Procedures for Auditing a Client’s Bank Reconciliation. Auditors typically will find the
items lettered A–F in a client-prepared bank reconciliation.
GENERAL COMPANY
Bank Reconciliation: 1st National Bank
September 30
A. Balance per bank
$28,375
B. Deposits in transit
Sept 29
$4,500
Sept 30
1,525
6,025
34,400
C. Outstanding checks:
988
1281
1285
1289
1292
Aug 31
Sept 26
Sept 27
Sept 29
Sept 30
D. Customer note collected by the bank:
E. Error: Check #1282, written on Sept. 26 for $270, was
erroneously charged by bank as $720; bank was notified Oct. 2
F. Balance per books
$2,200
675
850
2,500
7,255
(11,450)
20,950
(3,000)
450
$20,400
254 Part Two The Financial Statement Audit
Required:
Assume these facts: On October 11, the auditor received a cutoff bank statement dated
October 7. The September 30 deposit in transit; the outstanding checks 1281, 1285, 1289, and
1292; and the correction of the bank error regarding check 1282 appeared on the cutoff bank
statement.
a. For each of the preceding lettered items A–F, select one or more of the following
procedures 1–10 that you believe the auditor should perform to obtain evidence about the
item. These procedures may be selected once, more than once, or not at all. Be prepared
to explain the reasons for your choices.
1. Trace to cash receipts journal.
2. Trace to cash disbursements journal.
3. Compare to the September 30 general ledger.
4. Confirm directly with the bank.
5. Inspect bank credit memo.
6. Inspect bank debit memo.
7. Ascertain reason for unusual delay, if any.
8. Inspect supporting documents for reconciling items that do not appear on the cutoff
bank statement.
9. Trace items on the bank reconciliation to the cutoff bank statement.
10. Trace items on the cutoff bank statement to the bank reconciliation.
b. Auditors ordinarily foot a client-prepared bank reconciliation. If the auditors had
performed this recalculation on the preceding bank reconciliation, what might they have
found? Be prepared to discuss any findings.
(AICPA adapted)
LO 6-6
6.49 Manipulated Bank Reconciliation. You can use the computer-based Electronic Workpapers
on the textbook website to prepare the bank reconciliation solution.
Caulco Inc. is the audit client. The February bank statement is shown in Exhibit 6.3 in
the text. You have obtained the client-prepared bank reconciliation as of February 28 (see
the following).
Required:
Check 2231 was the first check written in February. All earlier checks cleared the bank,
some during January and some during February. Assume that the only February-dated
canceled checks returned in the March bank statement are 2239 and 2240 showing the
amounts listed in the February bank reconciliation. They cleared the bank on March 3 and
March 2, respectively. The first deposit on the March bank statement was $1,097.69 credited
on March 3. Assume also that all checks entered in Caulco’s cash disbursements journal
through February 29 have either cleared the bank or are listed as outstanding checks in the
February bank reconciliation.
Determine whether any errors exist in the following bank reconciliation. If errors exist,
prepare a corrected reconciliation and explain the problem.
CAULCO INC.
Bank Reconciliation
February 28
Balance per bank
$7,374.93
Deposit in transit
1,097.69
Outstanding Checks
Number
Date
Payee
Amount
2239
Feb 26
Alpha Supply
500.00
2240
Feb 28
L.C. Stateman
254.37
Total outstanding
General ledger balance Feb. 28
(754.37)
$7,718.25
Chapter 6 Employee Fraud and the Audit of Cash 255
LO 6-7
6.50
Investigating a Fraud. Suppose you are auditing cash disbursements and discover several
payments to a company you are unfamiliar with and cannot find information about this
company on the Internet or in the local telephone directory. The invoices from this company have numbers very close to each other in the sequence, there is no phone number on
the invoice, and each bill is for a dollar amount just under the amount that would require
additional approvals before payment. Based on this information, you now suspect this may
be a fraud.
Required:
Based on your suspicions, how would you change the audit procedures you would perform,
and how might you change the evidence you gather?
LO 6-5
6.51 Fraud in Purchasing. Consider the following scenario:
Adam worked for the local hardware store as an outside sales representative. His job was to
visit local companies and contractors in an attempt to identify their needs for tools and materials and provide a bid to supply those items. When a local contractor accepted a new job,
Adam would get its material requirements, come back to the store, and prepare and submit
a proposal for the items. After some initial success with Big Builder, a large contractor, the
number of jobs awarded to Adam had decreased dramatically.
One day, Adam was back at the store after losing a bid to Big Builder when he noticed
someone in the store purchasing the exact items and quantities that were in the specification
for that bid. The combination of items was unusual, and it would be an unlikely coincidence
for someone else to want such a combination in that exact quantity. The customer paid the
retail price for the merchandise and left.
Adam decided to contact Big Builder, but he knew he could not do so and make any
accusations. Adam set up a meeting with the president of Big Builder and inquired as to how
Adam might “increase his business and better meet the needs of Big Builder.” Eventually,
the recent bid entered the conversation. Adam showed his copy of the bid to the president.
The president retrieved a copy of the purchase order and recognized that the amount on it
was more than the bid Adam had submitted. The company that submitted the bid was K. A.
Supplies Inc. Adam had never heard of K. A. Supplies and noted its address on the purchase
order. The president of Big Builder promised to investigate the bidding process.
Adam drove to the address of K. A. Supplies and found a packaging and shipping store
at that address. Furthermore, Adam went to the county courthouse and inquired about K. A.
Supplies. The company was listed in the county records, and one of the purchasing agents
for Big Builder was listed as an officer.
Required:
a. Given the information that Adam knows, what do you believe is occurring at Big Builder?
b. What other information would you want to obtain, and how might you retrieve that information?
c. What controls might be instituted at Big Builder to prevent improprieties in the bidding
and purchasing process?
LO 6-1
6.52 The Perfect Crime? Consider the following story of an actual embezzlement:
This was the ingenious embezzler’s scheme: (a) He hired a print shop to print a private
stock of Ajax Company checks in the company’s numerical sequence. (b) In his job as an
accounts payable clerk at Ajax, he intercepted legitimate checks written by the accounts
payable department and signed by the Ajax treasurer and destroyed them. (c) He substituted
the same numbered check from the private stock, payable to himself in the same amount
as the legitimate check, and he “signed” it with a rubber stamp that looked enough like the
Ajax Company treasurer’s signature to fool the paying bank. (d) He deposited the money in
his own bank account. The bank statement reconciler (a different person) was able to agree
the check numbers and amounts listed in the cleared items in the bank statement to the
recorded cash disbursement (check number and amount) and thus did not notice the embezzler’s scheme. The embezzler was able to process the vendor’s “past due” notice and the
next month’s statement with complete documentation, enabling the Ajax treasurer to sign
another check the next month paying both the past due balance and current charges. The
embezzler was careful to scatter the double-expense payments among numerous accounts
(telephone, office supplies, inventory, etc.) so the double-paid expenses did not distort any
accounts very much. As time passed, the embezzler was able to recommend budget amounts
256 Part Two The Financial Statement Audit
that allowed a large enough budget so his double-paid expenses in various categories did not
often pop up as large variances from the budget.
Required:
List and explain the ways and means you believe someone might detect the embezzlement.
Think first about the ordinary everyday control activities. Then think about extensive detection efforts assuming a tip or indication of a possible fraud has been received. Is this a
“perfect crime”?
LO 6-7
6.53 Select Effective Extended Procedures. The following are some “suspicions.” You have
been requested to select some effective extended procedures designed to confirm or deny
the suspicions.
Required:
Write the suggested procedures for each case in definite terms so another person can know
what to do.
a. The custodian of the petty cash fund may be removing cash on Friday afternoon to pay
for weekend activities.
b. A manager noticed that eight new vendors were added to the purchasing department’s
approved vendor list after the assistant purchasing agent was promoted to chief agent
three weeks ago. She suspects all or some of them might be fictitious companies set up
by the new chief purchasing agent.
c. The payroll supervisor may be stealing unclaimed paychecks of employees who resigned
and did not collect their last check.
d. Although no customers have complained, cash collections on accounts receivable have
decreased, and the counter clerks may have stolen customers’ payments.
e. The cashier may have “borrowed” cash receipts, covering this by holding each day’s
deposit until cash from the next day(s) collection is enough to make up the shortage from
an earlier day and then sending the deposit to the bank.
LO 6-7
6.54 Forensic Accounting: Assurance Engagement 1: Expenditure Analysis. Expenditure
analysis is used when fraud has been discovered or strongly suspected and the information
to calculate a suspect’s income and expenditures can be obtained (e.g., asset and liability
records, bank accounts). Expenditure analysis consists of establishing the suspect’s known
expenditures for all purposes for the relevant period, subtracting all known sources of funds
(e.g., wages, gifts, inheritances, bank balances), and identifying the difference as “expenditures financed by unknown sources of income.”
The law firm of Gleckel and Morris has hired you. The lawyers have been retained by
Blade Manufacturing Company in a case involving a suspected kickback by a purchasing
employee, E. J. Cunningham. Cunningham is suspected of taking kickbacks from Mason
Varner, a salesman for Tanco Metals. Cunningham has denied the charges, but Lanier
Gleckel, the lawyer in charge of the case, is convinced the kickbacks have occurred.
Gleckel filed a civil action and subpoenaed Cunningham’s financial records, including
last year’s bank statements. The beginning bank balance January 1 was $3,463, and the ending bank balance December 31 was $2,050. Over the intervening 12 months, Cunningham’s
per-month gross salary was $3,600 with a net of $2,950. His house payments were $1,377
per month. In addition, he paid $2,361 per month on a new Mercedes 500 SEL and a total
of $9,444 last year toward a new Nissan Maxima (including $5,000 down payment). He also
purchased new state-of-the-art audio and video equipment for $18,763 with no down payment and made total payments of $5,532 on the equipment last year. A reasonable estimate
of his household expenses during the period is $900 per month ($400 for food, $200 for
utilities, and $300 for other items).
Required:
Using expenditure analysis, calculate the amount of income, if any, from “unknown sources.”
LO 6-7
6.55 Forensic Accounting: Assurance Engagement 2: Net Worth Analysis. You can use the
computer-based Electronic Workpapers on the textbook website to prepare the net worth
analysis required in this problem.
Net worth analysis is performed when fraud has been discovered or is strongly suspected
and the information to calculate a suspect’s net worth can be obtained (e.g., asset and liability
records, bank accounts). The procedure used is to calculate the person’s change in net worth
Chapter 6 Employee Fraud and the Audit of Cash 257
(excluding changes in market values of assets) and to identify the known sources of funds to
finance the changes. Any difference between the change in net worth and the known sources
of funds is called funds from unknown sources, which might include ill-gotten gains.
Nero has worked for Bonne Consulting Group (BCG) as the executive secretary for
administration for nearly 10 years. Her dedication has earned her a reputation as an outstanding employee and has resulted in increasing responsibilities. Nero is also a suspect in a fraud.
During Nero’s first five years of employment, BCG subcontracted all of its feasibility and
marketing studies through Jackson & Company. This relationship was terminated because
Jackson & Company merged with a larger, more expensive consulting group. At the time
of termination, Nero and her supervisor were forced to select a new firm to conduct BCG’s
market research. However, Nero never informed the accounting department that the Jackson
& Company account had been closed.
Because her supervisor allowed Nero to sign the payment voucher for services rendered,
she was able to continue to process checks made payable to Jackson’s account. Nero was
trusted to be the only signature required to authorize payments less than $10,000. The
accounting department continued to write the checks and Nero took responsibility for delivering the checks. She opened a bank account in a nearby city under the name of Jackson &
Company, where she made the deposits.
Nero’s financial records have been obtained by subpoena. The following table provides a
summary of the data obtained from her records:
Nero’s Subpoenaed Records
Assets:
Residence
Stocks and bonds
Automobiles
Certificate of deposit
Cash
Liabilities:
Mortgage balance
Auto loan
Income:
Salary
Other
Expenses:
Scheduled mortgage payments
Auto loan payments
Other living expenses
Year 1
Year 2
Year 3
$100,000
30,000
20,000
50,000
6,000
$100,000
30,000
20,000
50,000
12,000
$100,000
42,000
40,000
50,000
14,000
90,000
10,000
50,000
—
—
—
34,000
6,000
36,000
6,000
6,000
4,800
20,000
6,000
—
22,000
Required:
You have been hired to estimate the amount of loss by estimating Nero’s “funds from
unknown sources” that financed her comfortable life style. (Hint: Set up a working paper
like the following:)
End Year 1
Assets (list)
Liabilities (list)
Net worth (difference)
Change in net worth
Add total expenses
= Change plus expenses
Subtract known income
= Funds from unknown sources
End Year 2
End Year 3
258 Part Two The Financial Statement Audit
LO 6-1
6.56 Employee Embezzlement via Cash Receipts and Payment of Personal Expenses.
Assume you have received a message from an informant regarding the following case. Your
assignment is to write the “audit approach” portion of the case.
a. Write a brief explanation of desirable controls, missing controls, and especially the kinds
of “deviations” that might arise from the situation described in the case. (Refer to controls explained in Chapter 5.)
b. Develop some procedures for obtaining evidence about existing controls, especially procedures that could discover deviations from controls. If there are no controls to test, then
there are no procedures to perform. Then just move on to part (c). (Refer to test of controls procedures explained in this chapter.) An audit “procedure” should instruct someone about the source(s) of evidence to obtain and the work to perform.
c. Write some procedures for gathering evidence in this case.
d. Write a short statement about the discovery you expect to accomplish with your procedures.
The Extra Bank Account
The Ourtown Independent School District, like all others, had formal, often bureaucratic,
procedures regarding school board approval of cash disbursements. To get around the rules
and to make possible timely payment of selected bills, the superintendent of schools had
a school bank account that was used in the manner of a petty cash fund. The board knew
about it and had given blanket approval in advance for its use to make timely payment of
minor school expenses. The board, however, never reviewed the activity in this account.
The business manager had sole responsibility for the account subject to the annual audit.
The account received money from transfers from other school accounts and from deposit
of cafeteria cash receipts. The superintendent did not like to be bothered with details and
often signed blank checks so the business manager would not need to obtain a signature all
the time. The business manager sometimes paid her personal American Express credit card
bills, charged personal items to the school’s Visa account, and pocketed some cafeteria cash
receipts before deposit.
An informant called the state education audit agency and told the story that this business
manager had used school funds to buy hosiery. When told of this story, the superintendent
told the auditor to place no credibility in the informant, who was “out to get us.” The business manager had, in fact, used the account to write unauthorized checks to “cash,” put
her own American Express bills in the school files (the school district had a Visa card, not
American Express), and signed on the school card for gasoline and auto repairs during periods of vacation and summer when school was not in session. (As for the hosiery, she purchased $700 worth with school funds one year.) The superintendent was genuinely unaware
of the misuse of funds. The business manager had been employed for six years, was trusted,
and embezzled an estimated $25,000.
LO 6-6
6.57 Electronic Confirmations. As stated in the text, most banks require auditors to use electronic
audit confirmation requests, and as a result, nearly all audit firms now use them. At present,
Confirmation is the market-leading technological platform for electronic audit confirmations. To obtain a greater understanding of the process used to confirm accounts with electronic confirmation requests, watch the introduction video to Confirmation’s process at
https://vimeo.com/301903513.
Required:
a. Based on the video, describe the process of using Confirmation for sending bank
confirmations.
b. Discuss advantages and disadvantages of electronic confirmation. Do electronic confirmations provide stronger audit evidence than mailed confirmations? Why or why not?
LO 6-7
6.58 Case of the Missing Petty Cash The case below tells the actual story of a cash embezzlement scheme. The case has two major parts: (1) problem and (2) audit approach. For the
case, please consider how the auditor may have discovered the cash embezzlement scheme.
Problem
The petty cash custodian (1) brought postage receipts from home and paid them from the
fund, (2) persuaded the supervisor to sign blank authorization slips the custodian could use
when the supervisor was away and used them to pay for fictitious meals and minor supplies,
and (3) took cash to get through the weekend, replacing it the next week. Postage receipts
Chapter 6 Employee Fraud and the Audit of Cash 259
were from a distant post office station the company did not use. The blank authorization
slips were dated on days the supervisor was absent. The fund was cash short during the
weekend and for a few days the following week. The fund was small ($500), but the custodian replenished it about every two working days, stealing about $50 each time. With
about 260 working days per year and 130 reimbursements, the custodian was stealing about
$6,500 per year. The custodian was looking forward to getting promoted to general cashier
and bigger and better things!
Audit Approach
The audit team should discuss petty cash procedures with the custodian and supervisor,
especially those that relate to situations in which the custodian or supervisor is not available
to provide needed petty cash. Next, a sample of petty cash reimbursement check copies with
receipts and authorization slips attached should be studied for evidence of authorization and
validity. On Friday, an audit team member should count the petty cash and receipts to see
that they total $500. Then the fund should be recounted later in the afternoon. (The second
count should be a surprise.) The custodian or supervisor should be present at all times so that
the auditor will not be accused of theft.
Required:
Based on the audit approach discussed, how would the auditor have caught this fraudulent
scheme?
LO 6-2
6.59 The Laundry Money Skim The case below tells the actual story of a cash embezzlement
scheme. The case has two major parts: (1) problem and (2) audit approach. For the case,
please consider how the auditor may have discovered the cash embezzlement scheme.
Problem
Albert owned and operated 40 coin laundries around town. As the business grew, he could
no longer visit each one, empty the cash boxes, and deposit the receipts. Each location
grossed about $140 to $160 per day, operating 365 days per year—gross receipts of about
$2 million per year. Each of four part-time employees visited 10 locations, collecting the
cash boxes and delivering them to Albert’s office where he would count the coins and currency (from the change machine) and prepare a bank deposit. One of the employees skimmed
$5 to $10 from each location visited each day.
The daily theft does not seem like much, but at an average of $7.50 per day from each of
10 locations, totaled about $27,000 per year. If all four of the employees had stolen the same
amount, the loss could have been over $100,000 per year.
Audit Approach
Controls over the part-time employees were nonexistent. There was no overt or covert surprise observation and no times when two people went to collect cash (thereby needing to
agree, in collusion, to steal). There was no rotation of locations or other indications to the
employees that Albert was concerned about control. With no controls, there is no test of
control activities. Obviously, however, “thinking like a crook” leads to the conclusion that
the employees could simply pocket money.
Assuming that some employees are honest, periodically rotating the stores assigned to
each employee and performing revenue comparisons (analytical procedures) on a store-bystore basis may be helpful. If revenues consistently decline for stores assigned to a specific
employee, further investigation may be warranted.
Required:
Based on the audit approach discussed, how might an auditor devise a procedure to catch
this fraudulent scheme?
Apollo Shoes
Audit of the Cash Account
You are a recently promoted senior (in charge) auditor for Anderson, Olds, and Watershed and have been assigned to the engagement team of a new audit client, Apollo Shoes
Inc. You have been asked to perform certain procedures for the audit of the cash account.
A detailed audit program for performing the audit of cash, as well as bank reconciliations
and supporting documentation, can be found in Connect.
Appendix 6A
Internal Control Questionnaires
EXHIBIT 6A.1 Internal Control Questionnaire—Cash Receipts Processing
Yes
No
Comments
Yes
No
Comments
1. Are cash receipts deposited daily, intact, and without delay?
2. Does someone other than the cashier or accounts receivable bookkeeper take the deposits to the bank?
3. Are the duties of the cashier entirely separate from record keeping for notes and accounts receivable?
From general ledger record keeping?
4. Is the cashier denied access to receivables records or monthly statements?
5. Is a bank reconciliation performed monthly by someone who does not have cash custody or recordkeeping responsibility?
6. Are the cash receipts journal entries compared to the remittance lists and deposit slips regularly?
7. Does the person who opens the mail make a list of cash received (a remittance list)?
8. Are currency receipts controlled by mechanical devices? Are machine totals checked by the internal auditor?
9. Are prenumbered cash receipts listings used? Is the numerical sequence checked for missing documents?
10. Does the accounting manual contain instructions for dating cash receipts entries the same day as the
date of receipt?
11. Is a duplicate deposit slip retained by someone other than the employee preparing the deposit?
12. Is the remittance list compared to the deposit by someone other than the cashier?
13. Does the accounting manual contain instructions for classifying cash receipts credits?
14. Does someone reconcile the accounts receivable subsidiary to the control account regularly (to
determine whether all entries were made to customers’ accounts)?
15. Is the duty of processing credit card payments separated from the process of processing voids?
16. If the company processes credit cards, does it maintain documentation that it is PCI (Payment Card
Industry) compliant?
EXHIBIT 6A.2 Internal Control Questionnaire—Cash Disbursements Processing
1. Are persons with cash custody or check-signing authority denied access to accounting journals,
ledgers, and bank reconciliations?
2. Is access to blank checks denied to unauthorized persons?
3. Are all disbursements except petty cash made by check?
4. Are check signers prohibited from drawing checks to cash?
5. Is signing blank checks prohibited?
6. Are voided checks mutilated and retained for inspection?
7. Are invoices, receiving reports, and purchase orders reviewed by the check signer?
8. Are the supporting documents stamped “paid” (to prevent duplicate payment) before being returned
to accounts payable for filing?
9. Are checks mailed directly by the signer and not returned to the accounts payable department for
mailing?
10. Do checks require two signatures? Is there dual control over machine signature plates?
11. Are blank checks prenumbered and the numerical sequence checked for missing documents?
12. Are checks dated in the cash disbursements journal with the date of the check?
13. Are bank accounts reconciled by personnel independent of cash custody or record keeping?
14. Do internal auditors periodically conduct a surprise audit of bank reconciliations?
15. Do the chart of accounts and accounting manual give instructions for determining debit classifications
of disbursements not charged to accounts payable?
(continued)
Chapter 6 Employee Fraud and the Audit of Cash 261
Yes
16. Is the distribution of charges checked periodically by an official? Is the budget used to check on gross
misclassification errors?
17. Are special disbursements (e.g., payroll and dividends) made from separate bank accounts?
18. Is the bank reconciliation reviewed by an accounting official with no conflicting cash receipts, cash
disbursements, or record-keeping responsibilities?
19. Are electronic banking access rights maintained on a timely basis and do not contain employees who
have left the company?
20. Is dual authorization required to process electronic payments?
21. For accounts with highly significant amounts of cash, is a third individual required to process electronic
transfers or payments?
No
Comments
Appendix 6B
Audit Plans
EXHIBIT 6B.1 Audit Plan—Tests of Controls—Cash Receipts
Documentation
Reference
Performed By
Documentation
Reference
Performed By
1. Inquire of management concerning employees who
a. Receive remittances from customers.
b. Record collections in accounts receivable.
c. Prepare and deliver deposits to the bank.
2. Observe the opening of the mail and ensure that
a. Two employees are opening the mail.
b. Checks are restrictively endorsed.
c. A listing of all checks is being prepared.
3. Observe the flow of checks and remittance advices and ensure that
a. Checks are delivered directly to the cashier.
b. Remittance advices are delivered to the accounting department.
4. Examine reconciliations of cash listings, accounts receivable payments, and bank deposits.
5. Examine reconciliations of bank statements for
a. Initials of proper review.
b. Investigation of all outstanding items reviewed for propriety.
6. Inspect evidence of payment card industry (PCI) compliance for acceptance of credit card payments.
EXHIBIT 6B.2 Audit Plan—Selected Substantive Procedures—Cash
1. Obtain confirmations from banks (standard bank confirmation).
2. Obtain reconciliations of all bank accounts.
a. Trace the bank balance on the reconciliation to the bank confirmation.
b. Trace the reconciled book balance to the general ledger.
c. Recompute the bank reconciliation for mathematical accuracy.
3. Examine the bank confirmation for evidence of loans and collateral.
4. Inquire of the client to request a cutoff bank statement for each account, to be mailed directly to
the audit firm.
a. Vouch deposits in transit on the reconciliation to the bank cutoff statement.
b. Trace the outstanding checks that have cleared the cutoff statement back to the list of
outstanding checks on the bank reconciliation.
5. Prepare a schedule of interbank transfers for a period of 10 business days before and after the
year-end date. Document dates of book entry transfer and correspondence with bank entries and
reconciliation items, if any.
6. Count cash funds in the presence of a client representative.
7. Obtain management representations concerning compensating balance agreements.
CHAPTER 7
Revenue and
Collection Cycle
I call it the Rule of Three. If you read a company’s financial statements three times, and you still can’t figure out how they make their
money, that’s usually for a reason.
James Chanos, American investment manager known for short-selling stocks
Professional Standards References
AU-C/ISA
Section
PCAOB
Reference
Audit Documentation
230
AS 1215
Consideration of Fraud in a Financial Statement Audit
240
AS 2401
Audit Planning
300
AS 2101
Identifying and Assessing the Risks of Material Misstatement
315
AS 2110
The Auditor’s Responses to Risks of Material Misstatement
330
AS 2301
Audit Evidence
500
AS 1105
External Confirmations
505
AS 2310
Substantive Analytical Procedures
520
AS 2305
Auditing Accounting Estimates
540
AS 2501
Topic
LEARNING OBJECTIVES
This is the first of four “cycle chapters” in which you
will go through the process of evaluating the audit
risks present in a specific cycle and learn how to
apply the auditing standards to the identified risks.
First, we give a general overview of the typical
activities in the revenue and collection cycle. Next,
we discuss the significant accounts and relevant
assertions in the revenue cycle. After that, we discuss
the risk of material misstatement in the revenue
cycle. Many recent frauds have consisted of improper
revenue recognition, which also results in an
overstatement of assets, usually receivables. Next, we
examine the appropriate design of controls normally
included in the cycle and how the auditor evaluates
the operating effectiveness of these controls. Finally,
we discuss substantive procedures, including
common analytical procedures. You will note that
accounts receivable confirmations are a central part
of accounts receivable auditing and are required by
GAAS. You will see examples of confirmations and
a discussion of procedures auditors perform when
sending those confirmations. We conclude with an
application of what you have learned to a specific
audit issue within the revenue and collection cycle.
263
264 Part Two The Financial Statement Audit
Your objectives are to be able to
LO 7-1
Describe the revenue and collection cycle,
including typical source documents.
LO 7-2
Identify significant accounts and relevant
assertions related to the revenue and
collection cycle.
LO 7-3
Discuss the risk of material misstatement
in the revenue and collection cycle, with
a specific focus on improper revenue
recognition.
LO 7-4
Identify important internal control activities
present in a properly designed system to
mitigate the risk of material misstatements
for each relevant assertion in the revenue
and collection cycle.
LO 7-5
Give examples of tests of controls to test the
operating effectiveness of internal controls
in the revenue and collection cycle.
LO 7-6
Give examples of substantive procedures in
the revenue and collection cycle and relate
them to assertions about significant account
balances at the end of the period.
LO 7-7
Apply your knowledge to perform audit procedures in the revenue and collection cycle
and evaluate the findings of your tests.
INTRODUCTION
In January 2018, Carillion was the second largest construction firm in the United
Kingdom (UK). Less than a month later, the name Carillion was associated far less with
construction and much more with being the company whose fraud led to calls in the UK
to break up the Big Four accounting firms for failing to report Carillion’s “accounting
tricks,” as was discussed in a May 2018 Parliamentary report:
“Richard Adam, as Finance Director between 2007 and 2016, was the architect of
Carillion’s aggressive accounting policies. He, more than anyone else, would have
been aware of the unsustainability of the company’s approach. His voluntary departure
at the end of 2016 was, for him, perfectly timed. He then sold all his Carillion shares
for £776,000 just before the wheels began very publicly coming off and their value
plummeted. These were the actions of a man who knew exactly where the company was
heading once it was no longer propped up by his accounting tricks.”1
In the construction industry, a common method of estimating revenues is to recognize
the percentage of revenue earned to date based on the percentage of expected costs
already incurred. Carillion used this type of accounting estimate as the primary tool to
manipulate its earnings. Specifically, by underestimating the total expected costs, the
company was able to materially overstate revenues, and show profits when losses existed.
The company accomplished this by using management estimates of costs and ignoring
independent peer reviews which indicated far higher expected costs and project losses,
which should have been recognized immediately. One large project resulted in the recognition of an expected profit margin of 4.9 percent, when independent estimates indicated
a loss of 12.7 percent.
In the U.S., the estimation of revenue is often a significant audit risk under the accounting
standard for revenue from contracts with customers (under ASC 606), which will be discussed in detail in this chapter. High degrees of estimation uncertainty and the need for
experts in estimating revenue almost always result in the occurrence of contract revenue
being evaluated as both a fraud risk and a significant risk of material misstatement. In
fact, the PCAOB has placed special emphasis on audits of estimates and the use of specialists in many of their recent standard-setting activities. These standards will be covered
in greater detail in Chapter 10, but as the Carillion example shows, are equally relevant
in auditing revenue.
1
House of Commons, Business, Energy and Industrial Strategy and Work and Pensions Committees, May 16, 2018.
Chapter 7 Revenue and Collection Cycle 265
REVENUE AND COLLECTION CYCLE: TYPICAL ACTIVITIES
LO 7-1
Describe the revenue and
collection cycle, including
typical source documents.
There is no such thing as a typical revenue and collection cycle. Companies come in all
shapes and sizes, and the actual revenue generation process can vary greatly among industries. For example, banks and other financial services firms do not sell tangible goods.
Restaurants typically do not grant credit to customers. Further, many companies accept all
payments electronically. For the purposes of our discussions in the four-cycle chapters, we
assume a typical manufacturing company that sells products of some kind to customers—
often other businesses—on credit. The basic activities in the revenue and collection cycle
for a company like this are (1) receiving and processing customer orders, including credit
approval; (2) delivering goods and services to customers; (3) billing customers and accounting
for accounts receivable; and (4) collecting and depositing cash received from customers.
See Exhibit 7.1 for the activities and transactions involved in a revenue and collection cycle.
Note that collecting and depositing cash received from customers was covered in Chapter 6.
As you follow the discussion in the text, you can track some of the highlighted elements of
the cycle. The numbers listed next to the headings correspond to the numbers in Exhibit 7.1.
We will discuss how different companies may vary from this “typical” cycle.
EXHIBIT 7.1 Revenue and Collection Cycle
Start
Here
Customer’s
Purchase Orders,
Contracts
Cash
Reconciliation
Customer
Payments
(Cash Receipts)
Customer
Orders
1
4
Cash Receipts
Recording
Collections
Deposit Cash
in Bank
Cash
Custody
Monthly
Statements
Sales
Invoice
To
Customer
3
Accounts
Receivable
Recording
Sales
Authorization
2
Bill
Customers
Physical
Custody
Credit
Granting
Credit Files,
Reports
Warehousing
Shipping and
Delivery
To
Customer
Shipping
Documents
To
Customer
Accounts/Records
Cash
Receipts
Transaction
File
Cash
Balances
(Account)
File
Bank
Statements
Accounts
Receivable
Master
File
Sales
Revenue
Account(s)
File
Shipping Documents (Copy)
Customer
Order
Sales Invoice
(Copy)
Shipping
Document
Transaction
File
Shipping
Documents
(Copy)
Perpetual
Inventory
Records
Cash in Bank
Cash Receipts
Accounts Receivable
Allowance for Doubtful
Accounts, Write-Offs
Bad Debt Expense
Sales Revenue
Sales Returns, Allowances,
Discounts
Perpetual Inventory Records,
Shipping Records
266 Part Two The Financial Statement Audit
Receiving and Processing Customer Orders, Including Credit Granting 1
Customers initiate sales orders in a variety of ways. They can mail purchase orders, call
or fax orders, e-mail orders, place orders on a website, or simply come to the company’s
place of business and buy their goods. In some cases, companies are directly linked to
production schedules in their customers’ computer files (via electronic data interchange,
EDI), so they can ship goods automatically as the customer needs them. Electronic or
Internet sales orders require special software controls that protect against unauthorized
orders and protect customer information.
If a company sells its goods or services for something other than cash, it is important
that someone authorizes credit sales to ensure that the customer will be able to pay for the
goods or services. Because various authorizations are embedded in a computerized system, access to the customer master file for additions, deletions, and other changes must
be limited to employees directly responsible for these tasks. If these controls fail, orders
might be processed for fictitious customers, credit might be approved for bad credit risks,
and shipping documents might be created for goods that do not exist in the inventory.
Although many companies directly grant credit to customers, others rely on thirdparty credit, such as accepting credit cards from Visa or American Express. When a
retailer accepts a third-party credit card, the authorization function is performed electronically, and the risk of nonpayment generally shifts to the third party in exchange for
a processing fee. Sales such as this are considered cash sales to the retailer. Although
authorization controls are minimized in this situation, data security becomes a significant
issue. Retailers who accept third-party credit cards must maintain compliance with Payment Card Industry Data Security Standard requirements (PCI DSS). When companies
fail to adequately protect information, they can become liable for losses to customers, as
discussed in the following Auditing Insight.
AUDITING INSIGHT
A Designer Theft
Giant high-end retailer Neiman Marcus had its customers’ credit
card and debit card data breached in May 2020. Perhaps most concerning, the breach was not detected until September 2021, allowing the crooks plenty of time to take advantage of the theft. Neiman
Marcus estimates that approximately 5 million customers had their
personal credit or debit card information stolen, including other
personal information. Neiman Marcus filed for bankruptcy in 2021,
and some pundits speculated they waited to disclose the credit card
breach until after the filing. Sadly, this was not the first time the company had been a victim to a data breach. Neiman Marcus agreed to
a settlement in 2019 worth $1.5 million with 43 states after a similar
2014 incident.
Note how important it is to protect information received during the
revenue cycle.
Source: “Neiman Marcus says May 2020 breach includes millions of payment
card numbers and expiration dates,” ZDNet, October 1, 2021.
Customer orders, shipping documents, and invoices should all be assigned sequential
numbers and should be in prenumbered sequence so the system can check the sequence
and determine whether any transactions have not been recorded (completeness assertion)
or have been duplicated (occurrence assertion). Prenumbered documents are an example
of an internal control (i.e., control activity).
Another authorization in the system is the price list master file. This file contains
the product unit prices for billing customers. Persons who have power to alter this file
have the power to authorize price changes and customer billings. For this reason, general
controls surrounding system access and authorization are tremendously important in the
revenue cycle.
Delivering Goods and Services to Customers 2
Physical custody of inventory goods starts in the storeroom or warehouse where inventory is kept. Custody is transferred to the shipping department upon the authorization
of the shipping order that permits the inventory clerk to release goods to the shipping
department. Proper authorization is important: Employees performing each of these steps
Chapter 7 Revenue and Collection Cycle 267
should document the inventory transfers so they are held accountable. This control procedure
prevents employees from misappropriating the goods or shipping product to friends without
billing them. A bill of lading is a form that the carrier signs to verify that the goods are
shipped. A packing slip, which describes the goods being shipped, and the quantity of
goods shipped, is often included with the shipment. If you have ever shipped goods
through a UPS store, you have seen a smaller version of this process in action. When
you drop off your package, UPS scans it, which assigns a tracking number, and they also
provide you with a receipt. If you were a company selling goods, the carrier would likely
pick it up from you, along with all your other shipments, and they would acknowledge
receipt of the goods through your company’s bill of lading, as well as a receipt with all
the tracking information. As you probably have noted from making purchases online,
nearly all of this documentation is electronic.
Billing Customers and Accounting for Accounts Receivable 3
When a delivery or shipment is complete, the transaction is completed by filing a shipment record and preparing a final invoice for the customer (which is recorded as sales
revenue and accounts receivable). A sales invoice is the bill sent to the customer that indicates the amount due and the payment terms. Any person who has the power to alter these
transactions or to change the invoice before it is mailed to the customer should not have
any custody of goods or cash, nor any recording responsibilities.
Access to accounts receivable records implies the power to alter them directly or
enter transactions (e.g., returns and allowance credits, write-offs) to alter them. Personnel with this power have a combination of authorization and recording responsibility.
Another important facet of control is physical protection of the files. If the files are lost or
destroyed, it is unlikely the accounts will be collected, so the records are truly assets. Limited access, frequent backup, and disaster recovery plans are important general controls
to ensure the availability of information. In addition, and quite importantly, customer and
employee information must be protected.
The most frequent reconciliation is the comparison of the sum of customers’ unpaid
balances (customer database or subsidiary ledger maintained in the accounts receivable
department) with the accounts receivable control account total (maintained in corporate
accounting). This reconciliation is accomplished by preparing a trial balance of
the accounts receivable subsidiary ledger and comparing its total with the control account
balance in the general ledger. Internal auditors can perform periodic reviews of the
customers’ balances by sending confirmations to the customers. Auditors will also test
controls surrounding collection of cash from customers, shown as in Exhibit 7.1. The
cash collection process was discussed in Chapter 6.
System-Generated Reports and Data Files in the Revenue
and Collection Cycle
Because revenue and cash receipts transactions are generally processed using electronic
systems, management is able to generate reports and data sets that can provide important
information not just for management, but also for audits. Exhibit 7.2 represents a typical
system for processing customer orders and accounts receivable. In this section, we discuss the system-generated reports that are typically produced in this system that will be
used to evaluate the risk of material misstatement and perform audit tests.
Pending Order and Back Order Master File
Sales transactions that were initiated but are not yet completed, and thus not yet recorded
as sales, are kept in the pending order master file. A back order master file contains orders
for products that are out of stock currently. Long-standing orders may represent unfilled
sales to a customer, which may result in low customer satisfaction and loss of potential
revenue. They also may represent shipments that actually were made but for some reason were not recorded in the sales journal or could not be matched to a customer order.
268 Part Two The Financial Statement Audit
Inventory
Master
(Subsidiary)
A/R
Master
(Subsidiary)
Price List
Master
File
Credit
Check
Files
Customer
Purchase Order
Pending
Order
Master
Back
Order
Master
Order Entry
Terminal
Logs
General
Ledger
Master
Packing
Slip
Online sales processing
Sales Order
Sales
Detail
(Journal)
• Authorized terminal ID
• Sales order screen
• Automatic credit check
• Inventory-on-hand check
• Immediate update of all databases
• Online status query
• Automatic transfer from pending
order to A/R and G/L master files
Stockroom
Packing
Slip
Marketing
Management
Credit
Management
Shipping
Terminal
Logs
Invoices
Back Order
Report
Daily Sales
Report
Sales Analysis
A/R Listing
and Aging
Monthly
Customer
Statements
EXHIBIT 7.2 Sales and Accounts Receivable Processing
Typically, a pending or back order report will be reviewed by the company at least weekly,
and exceptions should be reviewed. Auditors will test controls surrounding this process
and may review items in the pending orders file for evidence of the completeness of
recorded sales and accounts receivable.
Customer Master File
The system may make automatic credit checks, but up-to-date maintenance of customer
information is very important. Credit checks based on dated or incomplete information
are not good business practice. A sample of the customer master file can be tested for
current status, including up-to-date credit limit information. Alternatively, the company’s
data change controls will likely be tested to ensure the files are accurately maintained.
The company should regularly review credit limits to ensure appropriate limits are placed
on customers, and auditors will often perform exception testing on credit checks. (See
Application in the Field example later in this chapter.)
Price List Master File
The system may produce customer invoices automatically, but if the price list master file
is incorrect, the billings will be incorrect. The pricing file can be compared to an official
price source for accuracy. Generally, the official pricing should be generated by management within the sales department. The company should perform this comparison every
time it changes its prices. Remember that prices can change throughout the year. Therefore, when vouching invoices and sales journal entries to price lists, the auditor must be
sure to have the price list that was in effect at the time of the customer’s order.
Sales Detail (Journal) File
The detailed sales entries, which should correspond with the issuance of invoices to customers and should include the shipping references and dates, should be in the sales detail file.
Chapter 7 Revenue and Collection Cycle 269
The file can be scanned using computer-assisted auditing techniques (CAATs) checking
for entries without shipping references (fictitious sales?) and for matching recording dates
with shipment dates (sales recorded before shipment?). The company should always compare
daily credit sales totals in the sales journal to the total debits posted to accounts receivable.
Sales Analysis Reports
A variety of sales analysis reports can be produced. Sales that are classified by product
lines provide required information for the business segment disclosures. Sales classified
by sales employee or region can show unusually high or low volume that might bear
further investigation if an error or fraud is suspected. Analytical procedures, such as trend
analysis or comparison among sales units, can be a great help to the auditor as illustrated
by the following Auditing Insight.
AUDITING INSIGHT
Peaks and Valleys
During the year-end audit of a national manufacturer, the independent auditors imported the weekly sales volume reports classified by
region into Tableau, a data visualization software used in many audits.
By creating graphical workbooks, the auditors noticed that sales volume was very high in Region 2 in the last two weeks of March, June,
September, and December. The volume was unusually low in the first
two weeks of April, July, October, and January. In fact, the peaks far
exceeded the volume in all the other six regions. The analysis of the
sales volume reports enabled the auditors to identify and focus their
efforts on a potential overstatement of revenue in a specific region,
increasing the effectiveness and efficiency of the audit. Further investigation revealed that the manager in Region 2 was holding open the
sales journal at the end of each quarterly reporting period (i.e., including sales from the next period) in an attempt to make the quarterly
reports look good. This is an example of an analytical procedure made
possible by the ability to analyze all of the client’s data.
Accounts Receivable Listing and Aging
The accounts receivable listing of customers’ balances contains the actual amounts specifically identified with individual customers. If the control account total is higher than
the sum of the customers’ balances (trial balance), it will have to be adjusted after the difference is thoroughly investigated. Remember, a receivable amount that cannot be identified with a customer cannot be collected! The trial balance is used as the starting point
for selecting accounts for confirmation. The accounts receivable aging information is
used in connection with assessing the allowance for doubtful accounts. Auditors must
ensure that the calculation of the aging is accurate to verify that customer accounts are
not listed as current when they are in fact past due. An example of this listing, also called
an aged trial balance, is presented in Exhibit 7.10, which is shown later in this chapter.
Most audit software, including IDEA, can create an aged trial balance simply by defining
delinquency groups (e.g., <30 days, 30–59 days, etc.). This enables the auditor to assess
the adequacy of the client’s allowance for doubtful accounts.
Cash Receipts Listing
The cash receipts journal contains all the detailed entries for cash deposits and credits
to various accounts. It contains the population of entries that should be reflected in the
credits to accounts receivable for customer payments. It also contains adjusting and correcting entries that can result from the bank account reconciliation. These entries are
important because they might signal the types of accounting errors or manipulations that
occur in the cash receipts listing.
Customer Statements
Probably the best control over whether cash is received and recorded is the customer.
Therefore, sending customer statements of what has been billed, what has been paid, and
ending balances on a monthly basis enables customers to spot discrepancies and notify
the company. Statements should be sent if there is any activity in the account, even if the
ending balances are zero.
270 Part Two The Financial Statement Audit
REVIEW CHECKPOINTS
7.1 What is the basic sequence of activities and accounting in a revenue and collection cycle?
7.2 What purpose is served by prenumbering sales orders, shipping documents, and sales invoices?
7.3 What controls should be implemented to safeguard accounts receivable files?
7.4 What system-generated reports might auditors examine to find evidence of unrecorded sales? Of
inadequate credit checks? Of incorrect product unit prices?
7.5 Suppose that you selected a sample of customers’ accounts receivable and wanted to find supporting evidence for the entries in the accounts. Where would you go to vouch the debit entries
to accounts receivable? What would you expect to find? Where would you go to vouch the credit
entries? What would you expect to find?
SIGNIFICANT ACCOUNTS AND RELEVANT ASSERTIONS
LO 7-2
Identify significant accounts
and relevant assertions
related to the revenue and
collection cycle
According to the professional standards, an account or disclosure is significant if there is
a reasonable chance that it could contain a material misstatement. The auditor identifies
significant accounts and relevant assertions by applying the audit risk model.
Chapter 4 introduced the audit risk model. As noted there, this model allows auditors
to control audit risk to desired levels. Audit risk is defined as the risk that auditors will
issue an unqualified opinion on financial statements that contain a material misstatement.
Audit risk is manifested when a material misstatement enters the financial reporting process (inherent risk) that the client’s internal controls do not prevent or detect (control
risk) and that the auditors’ substantive procedures do not detect (detection risk). Recall
the basic three-step approach for using the audit risk model to plan an engagement:
1. Set audit risk at desired levels (normally, low).
2. Assess risk of material misstatement, which incorporates inherent risk, based on the
nature of the account balance or class of significant transactions, and control risk,
based on gaining an understanding of internal control. Remember that AS 2110 indicates that the auditor should presume that there is a fraud risk involving improper
revenue recognition.
3. Set detection risk at the significant account and assertion level based on the level of
audit risk and risk of material misstatement.
The components of the audit risk model are assessed for each significant account and
relevant assertion. This assessment recognizes that certain accounts and assertions assume
an increased level of importance and are of more interest to auditors than other accounts
and assertions. For example, because of the tendency to use fictitious sales to overstate
assets and revenues, the existence assertion is extremely important in the audit of accounts
receivable, and occurrence is important for sales. In addition, because material errors happen, auditors need to examine revenue and accounts receivable for completeness. However,
the auditor generally presumes that management has an incentive to overstate revenues.
Thus, auditors may assess inherent risk for the existence assertion to be higher than for the
completeness assertion for these accounts, all other things being equal.
Once all of the significant accounts and disclosures have been identified, the auditor
then needs to identify the relevant assertions. According to AS 2201.A9, a financial statement assertion is relevant if it has a “reasonable possibility of containing a misstatement
or misstatements that would cause the financial statements to be materially misstated.”
Exhibit 7.3 identifies the significant accounts and relevant assertions in the revenue cycle.
Although different companies may have other risks, in general, the most significant risks
relate to the occurrence of revenues and the existence and valuation of accounts receivable. Because of the risk of unrecorded revenue, the completeness of revenue and accounts
Chapter 7 Revenue and Collection Cycle 271
EXHIBIT 7.3
Significant Accounts
and Relevant
Assertions in
the Revenue and
Collection Cycle
Significant Account
Relevant Assertions
Revenue
Occurrence
Completeness
Cutoff
Accounts Receivable
Existence
Completeness
Valuation
REVIEW CHECKPOINTS
7.6 What makes an account significant or an assertion relevant?
7.7 Why do auditors focus on revenue as a significant account and the occurrence of revenue as a
relevant assertion in the revenue cycle?
7.8 Why is inherent risk for the existence assertion for accounts receivable often set higher than
inherent risk for the completeness assertion?
receivable is also considered a significant risk in the revenue and collection cycle. Although
we will focus our discussion on revenue and accounts receivable, we will also discuss other
accounts and assertions that may require consideration in the revenue cycle.
RISK OF MATERIAL MISSTATEMENT
LO 7-3
Discuss the risk of material
misstatement in the revenue
and collection cycle, with a
specific focus on improper
revenue recognition.
As part of the planning process, the auditor must determine the source of a misstatement
that could cause the financial statements to be materially misstated. One way to assess the
risk of material misstatement is to use the “what could go wrong?” (WCGW) approach
when thinking of each financial statement assertion. The WCGW approach is a part of each
audit firm’s process and enables a thorough assessment of the risk of material misstatement.
When considering WCGW in the revenue and collection cycle, auditors consider three
primary concerns: (1) Is revenue recognized when appropriate? (2) Is there a possibility
of customers returning the goods? (3) Are the accounts receivable collectible? Exhibit 7.4
summarizes the WCGW analysis for the revenue and collection cycle.
Revenue Recognition
The Carillion example at the beginning of this chapter is an extreme example of the
violation of accounting standards related to revenue recognition (recording revenues in
the entity’s books). FASB defines revenues as, “inflows or other enhancements of assets
EXHIBIT 7.4
What Could Go
Wrong in the Revenue
and Collection Cycle?
Significant Account
Relevant Assertions
What Could Go Wrong?
Revenue
Occurrence
Management may overstate sales by adding fictitious
transactions or inflating actual sales.
Management may fail to recognize the possibility of
customer returns.
Accounts Receivable
Completeness
Not all sales are recorded.
Cutoff
Sales have been recorded in incorrect periods.
Existence
Accounts receivable are overstated and do not represent
amounts owed from actual sales.
Completeness
Not all accounts receivable have been recorded.
Valuation
Receivables are not included in financial statements at the
appropriate amount, and the uncollectible portion of the
balance is not properly estimated.
272 Part Two The Financial Statement Audit
of an entity or settlements of its liabilities (or a combination of both) from delivering
or producing goods, rendering services, or other activities that constitute the entity’s ongoing
major or central operations.” The core revenue recognition principle is that revenue
should be recognized when goods or services are transferred to customers for the amount
the company expects to be entitled to receive in exchange for those goods or services.2
An entity’s revenue-earning activities involve delivering or producing goods, rendering
services, or performing other activities that constitute its ongoing major or central operations. Revenues are considered to have been earned when the entity has substantially
accomplished what it must do to be entitled to the benefits represented by the revenues.
Similarly, the SEC believes that revenue generally is realized or realizable and earned
when all of the following criteria are met:
∙
∙
∙
∙
Persuasive evidence of an arrangement exists.
Delivery has occurred or services have been rendered.
The seller’s price to the buyer is fixed or determinable.
Collectability is reasonably ensured.3
The SEC and the popular press have expressed concern about appropriate recognition
of revenue in financial statements. A study by research firm Audit Analytics indicated that
approximately 17.3 percent of all restatements in 2020 were related to revenue recognition.
Since 2001, the percentage of restatements related to revenue recognition has varied from a
low of 10.2 percent of all restatements in 2010 to a high of 21.3 percent of all restatements in
2003.4 Some recent restatements are listed in Exhibit 7.5. The fact that the financial statements
were restated means that the auditors missed the original misstatement or went along with the
company’s accounting treatment. In some cases, predecessor auditors accepted the accounting
treatment, but the current auditors demanded the restatement. The SEC has increased enforcement actions related to revenue recognition, as discussed in the following Auditing Insight.
AUDITING INSIGHT
Watchful Eyes
SEC Chair Mary Jo White indicated in 2014 that the SEC had increased
enforcement actions on revenue recognition by more than 20 percent
as a result of the new FASB revenue recognition standard. The SEC’s
director of enforcements, Andrew Ceresney, called revenue recognition “the New Frontier” in enforcements. The increased focus has certainly had an effect as the SEC increased independent enforcement
actions overall from 341 in 2013 to a high of 548 in 2016. However,
as companies have become more comfortable with the revenue standard, independent enforcement actions decreased to 434 in 2021.
Sources: “Revenue Recognition Changes Could Spur SEC Fraud Probes,”
CFO, December 12, 2019; “SEC Announces Enforcement Results for FY 2021,”
SEC, November 18, 2021.
The PCAOB has also noted the difficulties with auditing revenue. In its Staff Preview
of 2018 inspection results, the PCAOB noted that, “We observed frequent deficiencies
related to the design and performance of audit procedures that address the assessed risk
of material misstatement, particularly when auditing revenue.”5 These difficulties with
revenue have always been present, but have perhaps become more challenging with the
issuance of FASB ASC 606 (ASU 2014-09). The standard requires a five-step process to
achieve the core principle of revenue recognition:
1.
2.
3.
4.
5.
2
Identify the contract(s) with a customer.
Identify the performance obligations in the contract.
Determine the transaction price.
Allocate the transaction price to the performance obligations in the contract.
Recognize revenue when (or as) the entity satisfies a performance obligation.
Accounting Standards Update 2014-09, “Revenue from Contracts with Customers (Topic 606).”
Securities and Exchange Commission, Staff Accounting Bulletin No. 104. December 17, 2003.
4
Audit Analytics, 2020 Financial Restatements: A Twenty Year Review November 2021.
5
Public Company Accounting Oversight Board, "Staff Preview of 2018 Inspection Observations,” May 6, 2019.
3
Chapter 7 Revenue and Collection Cycle 273
EXHIBIT 7.5 Revenue Recognition Rogues
Company
Cause of Misstatement
Alleged Amount*
Desarrolladora
Homex
The Mexico-based homebuilding company recognized revenue from the sale of more than 100,000
homes it had neither built nor sold!
$3.3 billion
Bristol-Myers
Company offered incentives to wholesalers to build their inventories so Bristol-Meyers could meet
sales forecasts (channel stuffing).†
$2.5 billion
Nortel
Company prematurely recorded revenue from equipment sales before the buyer had taken title to the
equipment.
$1.5 billion
SeaView Video Company prematurely recorded revenues and accounts receivable for customer orders for security
Technology
camera products prior to shipping.
$1.4 billion
AOL
AOL recorded advertising revenue, some of which included one-time payments, stock sales, and
“round-trip” deals in which money flowed both ways between AOL and the advertiser.
$1 billion
Royal Ahold
Company induced third parties to provide false confirmations to auditors relating to sales and
accounts receivable.
$700 million
Luckin Coffee
Chinese coffee retailer recorded revenue for fictitious purchases of gift certificates that could be redeemed for $386 million
coffee products. Most of these certificates were “sold” to smaller companies having ties to the board chair.
Xerox
Several senior managers colluded to circumvent company’s accounting policies and administrative
procedures. The restatement related to uncollectable long-term receivables, failure to record liabilities for
amounts due to concessionaires, and, to a lesser extent, recording revenue for contracts that did not fully
meet the requirements of sales-type leases.
$207 million
Pareteum
Executives directed employees to recognize revenue based on non-binding purchase orders, prior to
product
Download